In the bustling metropolis of the modern web, we often obsess over the popular security guards: CORS (Cross-Origin Resource Sharing) and CSP (Content-Security-Policy). But lurking in the shadows of legacy architecture is another critical gatekeeper that often goes unnoticed until a security audit turns up red: the Cross Domain Policy.
If you are managing enterprise applications or handling rich media like PDFs, ignoring this policy can leave a subtle backdoor open in your application security.
What is Cross Domain Policy?
At its core, a Cross Domain Policy is a set of instructions that tells a web client (historically Adobe Flash Player, Silverlight, or Adobe Acrobat) whether it is allowed to access data from a different domain than the one it is currently running on.
Think of it as a VIP list. If a Flash file hosted on evil-site.com tries to load data from your-bank.com, the browser plugin checks your-bank.com for a specific permission file (usually crossdomain.xml). If that file doesn’t exist or denies permission, the data stays locked.
While Flash is effectively dead, this mechanism lives on in other clients, particularly PDF readers and some legacy enterprise applications. This is where the x-permitted-cross-domain-policies header enters the chat.
The x-permitted-cross-domain-policies Header
The crossdomain.xml file at the root of your site is the “master” key. However, attackers found ways to upload their own malicious policy files to other folders on your server (e.g., via a file upload form).
To prevent this, we use the HTTP response header: x-permitted-cross-domain-policies.
This header tells the client: “I don’t care what XML policy files you find in my subdirectories; here are the ONLY ones you are allowed to obey.”
x-permitted-cross-domain-policies values
When configuring this header, you have a few specific options to control how strict you want to be:
| Value | Description | Security Level |
none | Disallows all cross-domain policy files, including the master one. No Flash/PDF cross-domain access is allowed. | Highest (Recommended) |
master-only | Only the crossdomain.xml file at the root (e.g., site.com/crossdomain.xml) is allowed. Subdirectory policies are ignored. | High |
by-content-type | Only policy files served with the specific Content-Type: text/x-cross-domain-policy are obeyed. | Moderate |
by-ftp-filename | Relevant only for FTP servers; allows files named crossdomain.xml. | Low |
all | Any file in any folder can act as a policy file. | Unsafe |
Recommendation: Unless you specifically know you need cross-domain Flash or PDF data loading, you should always set this to
none.
Configuration for x-permitted-cross-domain-policies nginx
If you are running an Nginx server, adding this header is a simple one-liner in your server block. This ensures that even if a user uploads a malicious XML file to your server, the browser/plugin will ignore it.
server {
listen 80;
server_name example.com;
# Security Headers
add_header X-Permitted-Cross-Domain-Policies "none" always;
location / {
try_files $uri $uri/ =404;
}
}
Decoding the “X”: What does X mean in HTTP headers?
You might notice a pattern in web security: X-Frame-Options, X-XSS-Protection, X-Permitted-Cross-Domain-Policies.
Historically, the “X-” prefix stood for “eXperimental” or “eXtension”.
In the early days of the web, if you wanted to create a custom header that wasn’t an official standard yet, you prefixed it with X-. The idea was that once it became a standard, the X- would be dropped.
However, this caused chaos. When X-Forwarded-For became a de-facto standard, removing the X- broke millions of systems. Consequently, in 2012, the IETF released RFC 6648, which deprecated the practice of using X- for new headers. Modern standards (like Content-Security-Policy) simply use the name without the prefix.
Is the X-content security policy deprecated?
Yes. X-Content-Security-Policy and X-WebKit-CSP were experimental versions used by older browsers (like Firefox 4 and old Chrome). You should now use the standard Content-Security-Policy (CSP) header. Using the “X” version today is unnecessary and often ignored by modern browsers.
Enterprise Corner: X-Content-Type-Options in WebSphere
If you are working in an enterprise environment using IBM WebSphere, you might face challenges implementing modern headers like X-Content-Type-Options (used to stop “MIME Sniffing”).
Standard web servers (Nginx/Apache) make this easy, but WebSphere is complex.
What is X Content Type Options in Websphere?
In WebSphere Application Server (WAS), this header is not on by default. To add the nosniff value to prevent MIME-sniffing attacks, you generally have two paths:
- Via the Administrative Console: In newer versions (Fix Pack 8.5.5.13+), IBM added a custom property to easily inject this. You typically navigate to the Web Container settings and add a custom property:
- Name:
com.ibm.ws.webcontainer.addXContentTypeOptions - Value:
nosniff
- Name:
- Via
web.xmlfilters: For older legacy apps, developers often have to write a Java Servlet Filter to manually attachresponse.setHeader("X-Content-Type-Options", "nosniff");to every outgoing response.
Summary
While the “X” headers are relics of a bygone era of web experimentation, the x-permitted-cross-domain-policies header remains a vital shield against legacy vulnerabilities involving PDFs and rich media.
- Audit your headers: Check if you are exposing cross-domain permissions.
- Set it to none: If you don’t need it, block it (
none). - Update your standards: Move away from
X-Content-Security-Policyto standardCSP.
By locking down these “forgotten” policies, you ensure your InspiredMonks platform—and your users—remain safe from the quirks of internet history.
