Kevin.Deenanauth;

Right now I am trying to fix a web app with a Flash frontend that suddenly broke because of a major change in Flash player.

Adobe put out a new release of Flash Player 9 that disables the authorization header from being sent when doing any web request within a Flash file. It’s documented here.

I agree, you can do some pretty naughty things if you have complete control of the headers the web browser is sending. A lot of these headers are legitimate. I’m not so sure about “Accept-Encoding.” But “Authorization”? Here’s why Adobe did it. Yes, sure hackers can send a request to another website. But if Flash doesn’t let them do it, then they’ll do it with Javascript.

Cross-site scripting should be banned - not legitimate headers. Macromedia got this right in the past if you look at all the security documentation for Flash. Maybe with the advent of AIR they’re afraid of a tarnished image. But I think Adobe overstepped their bounds this time and potentially broke a lot of applications. There are even tutorials on how to do basic authentication with Actionscript.

I am not the only person infuriated with this change: URLRequestHeader in AS3 Can Not Use Authorization Header

Makes me a little wary of using Flash in the future. I understand the reasons, but I can’t believe they fixed it in the way they did.