When you use a GET or POST request to send an Authorization header (using XML.addRequestHeader() and LoadVars.addRequestHeader() in ActionScript 2.0, or URLRequest.requestHeaders in ActionScript 3.0), the request fails and the header is not sent.


Starting with Adobe Flash Player the Authorization header was added to the blacklist of HTTP headers and, only in this version, was blocked by Flash Player. For Flash Player versions later than, the Authorization header is notblocked, but the destination domainrequires a crossdomain.xml file to specify that the Authorization header is allowed, if it is different from the domain hosting the SWF file.

For a complete list of all blacklisted headers, refer to "You receive an ActionScript error when a HTTP send action contains certain headers" (TechNote kb403030).


The cross-domain policy file tag <allow-http-request-headers-from> allows a remote domain to accept specific headers sent from Flash Player. A site that wishes to permit receipt of the Authorization header from a SWF file on another domain must include the tag in its crossdomain.xml file. For example, if a remote domain would like to grant permission to a SWF file hosted on to send it an Authorization header, its cross-domain policy file may look like the following:

 <?xml version="1.0"?>
	    <!DOCTYPE cross-domain-policy SYSTEM ""> 
	    <allow-http-request-headers-from domain="" headers="Authorization"/>

Note: Even with this policy file, an Authorization header is not sent from a SWF file running in Flash Player since all Authorization headers were blocked in that release. The <allow-http-request-headers-from> tag is only recognized in versions of the Flash Player greater than

For more information on the new <allow-http-request-headers-from> tag for cross-domain policy files and how to allow Flash Player to send headers to remote domains, please refer to "Arbitrary headers cannot be sent from the Flash Player to remote domains without a cross-domain policy file" (TechNote kb403185).

For more information on cross-domain policy files in general, refer to "External data not accessible outside a Flash movie's domain" (TechNote tn_14213).

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy