Which headers are allowed in Flash Player?

Posted: 08/05/08

An image of Which headers are allowed in Flash Player?

OK, so since the shake-up with the Flash Player security vulnerabilities that began with player 9.0.115.0 and became strictly enforced with 9.0.124.0, there seems to be a lot of confusion about what headers you can and can't send on the URLRequestHeader object.

Below is the list of apparently banned headers:

* A NULL header string

* Accept-Charset

* Accept-Encoding

* Accept-Ranges

* Age

* Allow

* Allowed

* Connection

* Content-Length

* Content-Location

* Content-Range

* Cookie *(whilst not documented, I can't append it)

* Date

* ETag

* Expect

* Host

* Keep-Alive

* Last-Modified

* Location

* Max-Forwards

* Proxy-Authenticate

* Proxy-Authorization

* Public

* Range

* Referer

* Retry-After

* Server

* TE

* Trailer

* Transfer-Encoding

* Upgrade

* URI

* User-Agent

* Vary

* Via

* Warning

* WWW-Authenticate

* x-flash-version

One thing I've noticed since Adobe and Opera 'collaborated' on the fix for these issues is that HTTP headers originating from Flash applications embedded in Opera browsers arrive at the server with TWO referrer headers. I suspect there is a bug here, but I'll look a little more into it and post back soon.

Update 09/04/09: The latest version of Opera has resolved this problem, by only ever sending one "referer" value (misspelled as per HTTP spec)

More information about the changes in the recent security update can be obtained from:

Adobe's security update PDF

Keywords for this post: flash player, security, headers, referrers, opera