Dropped the never-released ap_has_cntrls() as it had very limited and inefficient application at that, added ap_scan_vchar_obstext() to accomplish a similar purpose.
Dropped HttpProtocolOptions StrictURL option, this will be better handled in the future with a specific directive and perhaps multiple levels of scrutiny, use ap_scan_vchar_obstext() to simply ensure there are no control characters or whitespace within the URI.
Changed the scanning of the response header table by check_headers() to follow the same rulesets as reading request headers. Disallow any CTL character within a response header value, and any CTL or whitespace in response header field name, even in strict mode.
Apply HttpProtocolOptions Strict to chunk header parsing, invalid whitespace is invalid, line termination must follow CRLF convention.