TechNote

ActionScript error when an HTTP send action contains certain headers (Flash Player)

Issue

You receive an ActionScript error when an HTTP send action contains certain headers.

Reason

Adobe Flash Player blocks certain HTTP headers from being sent through network APIs for security reasons. Network requests with headers added using addRequestHeader that match the following list will generate a security error, and the network request will not be made.

Prior to Flash Player 9, the following headers were blocked:

headers: Age Allow Allowed Connection Content-Length Content-Location Content-Range ETag Host Last-Modified Location Max-Forwards Proxy-Authenticate Proxy-Authorization Public Range Retry-After Server TE Trailer Transfer-Encoding Upgrade URI Vary Via Warning WWW-Authenticate

Starting with Flash Player 9.0.16, the following headers are blocked:

Note: These changes were also made in corresponding security releases for Flash Player 7 and 8.

headers: Referer GET POST PUT DELETE OPTIONS TRACE x-flash-version

Starting with Flash Player 9.0.28, the following headers are blocked:

Note: These changes were also made in corresponding security releases for Flash Player 7 and 8.

headers: Accept-Charset Accept-Encoding Date Expect Keep-Alive User-Agent

Starting with Flash Player 9.0.115, the following headers are blocked:

Note: These changes were also made in corresponding security releases for Flash Player 7 and 8.

headers: CONNECT Cookie HEAD Request-Range Authorization Proxy-Connection

Starting with Flash Player 9.0.124:

In Flash Player 9.0.124.0 the Authorization header is no longer blocked. For more detail see "An Authorization header does not work for an HTTP request" (TechNote kb403184).

Starting with Flash Player 10.0.22.87, the following header is blocked:

Note: This change was also made in corresponding security releases for Flash Player 7 and 8.

headers: ORIGIN

Additional Information

In Flash Player 9.0.28.0 and later, you can no longer make a Socket or XMLSocket connection to a port number less than 1024 under certain circumstances. To learn more about these circumstances, see "Socket connections to ports below 1024 no longer function" (TechNote kb400764).