X-Permitted-Cross-Domain-PoliciesX-Permitted-Cross-Domain-Policies specifies how far to trust cross-domain policy files (crossdomain.xml) that clients like Adobe Flash and Adobe Reader (PDF) consult when accessing this domain's resources. It is usually set to none to categorically block legacy plugins from accessing data.
Flash and Acrobat checked a policy file such as /crossdomain.xml at the server root before reading another domain's data. If that policy was overly permissive (e.g. <allow-access-from domain="*"/>) the mechanism became a channel for cross-domain data theft. X-Permitted-Cross-Domain-Policies lets the server control, via a header, whether clients should trust such policy files.
The value none trusts no policy file and is safest, recommended by modern security baselines (e.g. OWASP Secure Headers). master-only trusts only the root master policy, by-content-type only policies with the correct Content-Type, and all permits everything and is dangerous.
Today Flash is fully retired and PDF cross-domain scenarios are rare, so this header's practical impact is small. Still, security scanners and compliance checklists often verify its presence, so declaring none as a defensive default is common practice.
X-Permitted-Cross-Domain-Policies: <none | master-only | by-content-type | by-ftp-filename | all>e.g. X-Permitted-Cross-Domain-Policies: none
none | Permits no cross-domain policy files at all; the safest recommended value. |
master-only | Allows only the master policy at the root (/crossdomain.xml), ignoring sub-policy files. |
by-content-type | Allows only policy files served with the proper Content-Type. |
all | Allows all cross-domain policy files (not recommended). |