X-Permitted-Cross-Domain-Policies: Secure your PDFs (and Flash, if flash is still a thing when you read this post)
Adobe Flash and Reader documents can embed external content, but only if the source has explicitly stated that this can be done and in which cases, by means of a crossdomain.xml
policy file. X-Permitted-Cross-Domain-Policies
adds a second layer of security by limiting where clients should look for a file, avoiding malicious or unintentional uploads.
It offers the following directives:
none
: No policy files are allowed.master-only
: Only check the root directory of the website for policy files.by-content-type
: Only accept files with typetext/x-cross-domain-policy
.by-ftp-filename
: Only accept cross-domain requests through FTP with files namedcrossdomain.xml
.all
: Allow anycrossdomain.xml
files.