Low Security Header

X-Permitted-Cross-Domain-Policies

Learn how to control cross-domain policy file access for legacy plugins.

SiteSecurityScore Team·6 min read·Updated Feb 20, 2026

X-Permitted-Cross-Domain-Policies is a security header that controls whether clients like Adobe Flash Player and Adobe Acrobat can load cross-domain policy files from your server. While Flash is now end of life, this header remains relevant because PDF readers and other Adobe products still check for crossdomain.xml files. Setting this header to 'none' prevents potential cross-domain data access through these legacy mechanisms.

What are Cross-Domain Policies?#

Cross-domain policy files are XML configuration files that grant web clients permission to access data across different domains. Adobe Flash used crossdomain.xml, and Microsoft Silverlight used clientaccesspolicy.xml. These files could be placed at the root of a web server to explicitly allow cross-domain data loading, similar to how CORS works for modern web applications.

  • crossdomain.xml controls access for Flash Player and Adobe Acrobat/Reader
  • clientaccesspolicy.xml controlled access for Microsoft Silverlight (now fully deprecated)
  • These files can grant broad permissions that override same-origin restrictions
  • A permissive policy file could allow any domain to read data from your server
Still Relevant Today

Even though Flash Player reached end of life in December 2020, Adobe Acrobat and Reader still respect crossdomain.xml files when loading external data into PDFs. This means a misconfigured policy file could still allow cross-domain data access through PDF documents.

Security Risks of Cross-Domain Policy Files#

The primary risk comes from overly permissive cross-domain policy files or the default behavior when no header is set. Without the X-Permitted-Cross-Domain-Policies header, clients may search for and honor policy files on your server, potentially granting unintended cross-domain access.

  • A wildcard crossdomain.xml allows any domain to read data from your server
  • Attackers could use Flash or PDF exploits to exfiltrate data through permissive policies
  • Legacy policy files may remain on servers long after the original need has passed
  • Some file upload vulnerabilities could allow attackers to place their own policy files on your server
Check Your Server

Many servers still have crossdomain.xml files from years ago when Flash was common. Audit your web root for these files and remove them if they are no longer needed. Set X-Permitted-Cross-Domain-Policies to 'none' as an additional safeguard.

How the Header Works#

The X-Permitted-Cross-Domain-Policies header tells compliant clients how to handle cross-domain policy files. The header is checked before the client attempts to load any policy file, providing a server-level override regardless of what policy files may exist on disk.

  • 'none' prevents all policy file loading, the most secure option
  • 'master-only' allows only the root-level master policy file
  • 'by-content-type' allows policy files served with the correct Content-Type
  • 'all' allows any policy file on the server, the least secure option

Implementation Guide#

For most modern websites, the recommended setting is 'none' since there is rarely a legitimate need for cross-domain policy file access. This effectively disables all legacy cross-domain data sharing through Adobe products.

Configuration
# Apache (.htaccess or httpd.conf) Header always set X-Permitted-Cross-Domain-Policies "none" # Nginx add_header X-Permitted-Cross-Domain-Policies "none" always; # Node.js / Express app.use((req, res, next) => { res.setHeader('X-Permitted-Cross-Domain-Policies', 'none'); next(); }); # Also remove any existing policy files # rm /var/www/html/crossdomain.xml # rm /var/www/html/clientaccesspolicy.xml

Best Practices#

Follow these guidelines to properly manage cross-domain policy controls on your server.

  • Set the header to 'none' unless you have a specific, documented need for cross-domain policy access
  • Audit your web root for crossdomain.xml and clientaccesspolicy.xml files and remove if unused
  • If you must use a policy file, restrict it to specific trusted domains rather than using wildcards
  • Include this header as part of your standard security header configuration
  • Combine with Content-Security-Policy and X-Frame-Options for comprehensive protection

Implementation Examples#

No Cross-Domain Access

X-Permitted-Cross-Domain-Policies: none

Prevents all cross-domain policy file access

Explanation: This is the most secure option. No cross-domain policy files are allowed.

Master Only

X-Permitted-Cross-Domain-Policies: master-only

Only allows access to master policy files

Explanation: This allows access only to master policy files, providing some security while allowing limited functionality.

By Content Type

X-Permitted-Cross-Domain-Policies: by-content-type

Allows access based on content type

Explanation: This allows access to policy files based on their content type.

Key Directives#

none

Prevents all cross-domain policy file access

none

master-only

Only allows access to master policy files

master-only

by-content-type

Allows access based on content type

by-content-type

all

Allows all cross-domain policy file access

all

References#

OWASP Secure Headers Project(OWASP)
Was this helpful?
Share

Test Your X-Permitted-Cross-Domain-Policies Configuration

Scan your site to check if X-Permitted-Cross-Domain-Policies is properly configured.

Scan Your Website