Adobe Flash Player onwards allows setting Authorization HTTP header

There were some issues with some earlier version of players, where it was not possible to set Authorization http-header for HTTP/GET requests. I tried to hack a way to do it using Socket or custom http-client in actionscript.

I just happened to read one of the technotes at Adobe’s site, which says Authorization header is allowed for Flash Player onwards. If you are trying to send request to another domain (different from the one hosting the SWF), a crossdomain-policy file is required.

  • For Flash Player 9.0.115+ when sending HTTP headers “crossdomain” as you know a crossdomain.xml with allow-http-request-headers-from set appropriately.

    If the crossdomain.xml file is protected by Basic Authentication, you keep getting the Basic Authorization popup. Expose crossdomain.xml and make it unsecured. Example a folder ‘above’ the secured folder – i.e.
    and your crossdomain should be at, which would load the crossdomain from the root of the ‘service’ web server)

    About SENDING basic authentication

    import mx.utils.Base64Decoder;
    import mx.utils.Base64Encoder;
    import mx.controls.Alert;
    import flash.system.*;


    /* pass authorization header with urlRequest */
    public function doURLRequest():void {
    var loader:URLLoader = new URLLoader();
    // the username and password for authentication
    var creds:String=”admin:password”;

    var request:URLRequest = new URLRequest(“”); = new URLVariables(“name=Plat+Fuse”);
    request.method = URLRequestMethod.GET;

    var header:URLRequestHeader;

    var encoder:Base64Encoder = new Base64Encoder();
    var encodedCreds:String=encoder.toString();

    header = new URLRequestHeader(“Authorization”, “Basic ” + encodedCreds);
    header = new URLRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”);
    try {
    } catch (error:Error) {
    trace(“Unable to load requested document.”);

    private function configureListeners(dispatcher:IEventDispatcher):void {
    dispatcher.addEventListener(Event.COMPLETE, completeHandler);
    dispatcher.addEventListener(Event.OPEN, openHandler);
    dispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler);
    dispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
    dispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
    dispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);

    private function completeHandler(event:Event):void {
    var loader:URLLoader = URLLoader(;“completeHandler: ” +;

    private function openHandler(event:Event):void {
    trace(“openHandler: ” + event.toString());

    private function progressHandler(event:ProgressEvent):void {
    trace(“progressHandler loaded:” + event.bytesLoaded + ” total: ” + event.bytesTotal);

    private function securityErrorHandler(event:SecurityErrorEvent):void {“securityErrorHandler: ” + event.toString());

    private function httpStatusHandler(event:HTTPStatusEvent):void {
    trace(“httpStatusHandler: ” + event.toString());

    private function ioErrorHandler(event:IOErrorEvent):void {“ioErrorHandler: ” + event.toString());

    The key is you need to

    set or the headers will not get sent:
    # = new URLVariables(”name=Plat+Fuse”);

    Make the request a POST, not a GET
    # request.method = URLRequestMethod.POST;

  • @Platfuse Thanks for update, just curious is it solution or a problem here?
    Never mind, I am not top on Flash world these days.

  • Christian Boese

    Do I understand it right: There still ist no way to send an HTTP-Basic Authorization Header with a GET Request? I tried a lot of things and still (even with the new player) couldn’t get it to work withthe standard URLRequest. With HTTPURLRequest (thanks again for the code!) it works (given a good crossdomain-file served on port 843).

  • @Christian AFAIK, yeah there is no way to send HTTP AUTH headers over GET request.
    Great to hear, code still works. Thanks for using it.
    You can check out the latest at:

  • Danny

    I’ve been struggling with this issue. Objective is to interact with the google calendar api which requires a name/password login, then getting a key from the response and using it as the auth token in the Authorization header of subsequent requests.
    As you say, the flash players from 9.0.115 and beyond now allow the setting of the authorization header however, the GET requests can’t have the auth header so it has to be a POST with request data. If it doesn’t have request data, then it gets converted from a POST to a GET and say bye to the auth header. Adding request data, however, messes up the use of the Google Calendar API as far as I can tell, which expects zero content.
    I’ve pinged Matt Chotin and he responded that the browsers implementing the flash plugin take some responsibility for the problems so its not something Adobe can readily fix.
    Still, does that mean Flex can’t interface with all the great network api’s out there? Your socket approach holds promise to get around the problem, but it would be a big project to take on to do it right and my vote would be on Adobe taking it on unless they can pressure the browswer guys. I guess it would be a “brute force” approach to getting http auth instead of using higher level apis of the browswer products.
    So as it is, I can use AIR just fine, which uses hooks to windows (in my case) to send the http auth, but no hope on the horizon for flex apps.
    I’ll give your socket code a try to achieve this, but not sure the long term potential or maintainability.
    thanks for your work,

  • @Danny You are right, doing HTTP Auth over HTTP/GET is not possible with Flash Player as of now.
    I just figured out, some folks found my class useful.
    You might want to ask them, how they used it. If they modified the code, would they want to share it with you?

  • Danny

    Hi Abdul,
    I’ve been trying out your socket based httpclient. It works well but for the application I’m working on, it faces a problem with google responding with a 302 not found/redirect before the cookie/sessionkey is available. In this case a normal http client redirects “under the covers” but I’ve found your client doesn’t automagically handle redirects. I’ve also seen the defect list where it is highlighted. Before I write a 302 handler, could you tell me if you’ve addressed or are planning to address this feature? I imagine there are numerous other low level conditions that need handling, and the wish list could be long, although my application is limited to interfacing with some google apis and possibly amazon s3 apis. Are there other “abnormal” response codes that folks have flagged with your client?
    I saw your input to the blog input to Scoop (users of your framework). I don’t think they should have a problem with original auth using https. In my app, I do first login with https using the normal flex/air httpservice, then use your client for subsequent calls which require setting the auth header returned from the original httpservice based login. I’m not sure exactly the app their using but I think using your framework in concert with the flex one can get around many problems.
    thanks again,

  • Hello,
    thank you for this great work. It helped me solving some authorization problems I had with my site.

  • april

    Can I use the same method connect to https server? why I always get IO error?

  • hello julia here..Ensure that you have the latest version of Flash Player installed by clicking here to check the version. The current version of Flash Player 9 for Windows, Macintosh, and Linux operating systems is The current version of Flash Player 9 for Solaris operating systems is