Adobe Flash and Reader documents can embed external content, but only if the source has explicitly stated that this can be done and in which cases, by means of a crossdomain.xml policy file. X-Permitted-Cross-Domain-Policies adds a second layer of security by limiting where clients should look for a file, avoiding malicious or unintentional uploads.

It offers the following directives:

• none: No policy files are allowed.
• master-only: Only check the root directory of the website for policy files.
• by-content-type: Only accept files with type text/x-cross-domain-policy.
• by-ftp-filename: Only accept cross-domain requests through FTP with files named crossdomain.xml.
• all: Allow any crossdomain.xml files.

This entry is part of the Security Headers series.