Skip to main content

HTTP Header: X-Permitted-Cross-Domain-Policies

The attack​

Adobe Flash and Adobe Acrobat can load content from your domain even from other sites (in other words, cross-domain). This could cause unexpected data disclosure in rare cases or extra bandwidth usage.

The header​

The X-Permitted-Cross-Domain-Policies header tells clients like Flash and Acrobat what cross-domain policies they can use. If you don’t want them to load data from your domain, set the header’s value to none. For example:

X-Permitted-Cross-Domain-Policies: none

If Flash loads something from your site and sees that, it’ll know that it shouldn’t load data from your domain.

The code​

Helmet’s crossdomain middleware prevents Adobe Flash and Adobe Acrobat from loading content on your site.

const helmet = require('helmet')

// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(helmet.permittedCrossDomainPolicies())

Refs:​