What are the security restrictions in setting HTTP headers?
Problem
Flash player supports setting HTTP headers. But it seems to work only in some cases. What are the exact security restrictions involved in setting HTTP headers?
Solution
Two things have to considered: the header blacklist and crossdomain.
Detailed explanation
The flash player has a blacklist of HTTP headers that cannot be set. If the header you wanted to set falls in this list, then you cannot set it.
On Flash Player 9.0.115, the Authorization header was blacklisted. Player versions above that does not have the Authorization header blacklisted. So if you need to use this header (usually when there is HTTP basic authentication involved), upgrade to any version after 9.0.115.
Now, if you are setting headers on a URL request that is targeted at a different domain than that from which the SWF was served, you have to consider the crossdomain.xml file.
The crossdomain.xml file is used to check if your SWF can set headers (and which ones). This is documented at Adobe Technote.
