X-Permitted-Cross-Domain-Policies
The HTTP X-Permitted-Cross-Domain-Policies response header is an unofficial HTTP header controlling whether web clients like Adobe Acrobat are allowed to load data from a domain using cross-domain policy files.
Usage
The X-Permitted-Cross-Domain-Policies header
defines a meta-policy governing access to cross-domain
policy files on a server. Cross-domain policy files
(typically crossdomain.xml) grant web clients
permission to handle data across domain boundaries.
Without this header, a permissive policy file added
accidentally or through a malicious action opens the
door to cross-domain data loading.
Setting the header to none is a common security
hardening measure. Flash Player and Silverlight are
end-of-life, but Adobe Acrobat and other document
readers still honor these policies. The header is also
configurable through a <site-control> element inside
a master crossdomain.xml policy file.
Note
The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.
Directives
none
The none directive blocks all policy files on the
server, including the master policy file. No
cross-domain data loading is permitted.
master-only
The master-only directive permits cross-domain access
defined in the master policy file only. Policy files
hosted at other locations on the server are ignored.
by-content-type
The by-content-type directive permits policy files
served with a
Content-Type of
text/x-cross-domain-policy. This directive applies
to HTTP and HTTPS only.
by-ftp-filename
The by-ftp-filename directive permits policy files
named crossdomain.xml at URLs ending in
/crossdomain.xml. This directive applies to FTP
only.
all
The all directive permits all policy files on the
target domain.
none-this-response
The none-this-response directive signals the current
document is not a policy file, regardless of its
content type or location. This value is exclusive to
the HTTP header and has no equivalent in the
crossdomain.xml file format.
Example
The none value blocks all cross-domain policy files
on the server. No external client is allowed to load
data from this domain using a policy file. This is the
most common setting and the recommended default for
servers with no cross-domain data sharing requirements.
X-Permitted-Cross-Domain-Policies: none
The master-only value allows cross-domain access as
defined in the master crossdomain.xml file at the
site root, but ignores policy files at any other
location on the server. This gives controlled access
while preventing rogue policy files from granting
unintended permissions.
X-Permitted-Cross-Domain-Policies: master-only
Takeaway
The X-Permitted-Cross-Domain-Policies header
restricts how web clients locate and use cross-domain
policy files. Setting the value to none is the
recommended default for servers not needing
cross-domain data loading.