Product
API Client

A lightweight and secure API Client for faster API Development & Testing

HTTP Interceptor

A Powerful HTTP Interceptor to Intercept, Record, Debug & Modify HTTP Requests

API Mocking

Build frontend faster without waiting for backend.

Use Case
Frontend Web/Mobile Developers

Requestly improves front-end workflows with local JS testing, mocking, and SessionBook debugging.

For QA engineers

QA engineers love Requestly for its features and ease of use, allowing easy edge case testing.

Support Engineer

Support engineers value Requestly for debugging, demoing, and overriding GTM and Adobe scripts.

Backend Developers

Requestly helps in improving back-end development workflows, by enabling testing.

Requestly vs Postman
Resources
Pricing
Blog
Case Studies
Status
Github
Release Note
Student Programme

📣 Requestly  –  Local first & light weight alternative to Postman. Try now ->

HTTP Headers

X Permitted Cross Domain Policies

HTTP Header

The HTTP X-Permitted-Cross-Domain-Policies response header defines a policy that controls whether resources on a website can be accessed cross-origin by documents running in web clients like Adobe Acrobat or Microsoft Silverlight.

This header is useful in scenarios where a website needs to specify a cross-domain access policy but cannot modify the root directory of the domain.

Although its use is now less common due to the deprecation of Adobe Flash Player and Microsoft Silverlight, some security tools still check for the presence of a X-Permitted-Cross-Domain-Policies: none header. This can help mitigate risks associated with overly permissive policy files that might be accidentally or maliciously added to your site.

Syntax

The header field below shows an example of how to specify permitted cross-domain policies for HTTP connections.

X-Permitted-Cross-Domain-Policies: <permitted-cross-domain-policy>

Directives

none
No policy files are permitted anywhere on the target server, including in a master policy file.
master-only
Allows cross-domain access solely to the master policy file defined on the same domain.
by-content-type (HTTP/HTTPS only)
Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.
by-ftp-filename (FTP only)
Only policy files with the filename crossdomain.xml (URLs ending with
/crossdomain.xml) are permitted.
all
All policy files on this target domain are allowed.
none-this-response
Indicates that the current document should not be used as a policy file despite other headers or its
content.
This setting is exclusive to the HTTP header.

Example

Web clients such as Adobe Acrobat or Apache Flex can load web documents, which may in turn load resources from the same site or other sites.
Access is restricted to same-site resources by default, due to the same origin policy, but cross-origin sites can choose to allow access to some or all of their resources to clients from other sites using special files called cross-domain policy files.

A “master” cross-domain policy file is typically named crossdomain.xml and placed in the root directory of the domain, for example: http://example.com/crossdomain.xml.
This master file defines the overall policy for the entire site using the permitted-cross-domain-policies attribute within the <site-control> element.
The meta-policy determines whether any cross-domain policies are permitted and sets the conditions for other “sub” policy files, which may be created in specific directories to specify access for resources within those directories.

For instance, the following is an example of the most restrictive master policy, which disallows all cross-domain access and does not permit use of any sub-policy files:

xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
 <site-control permitted-cross-domain-policies="none"/>
</cross-domain-policy>

The X-Permitted-Cross-Domain-Policies header can be used in HTTP responses to specify a meta-policy or override the policy set in the master cross-domain policy file, if it exists.
It accepts the same values as the permitted-cross-domain-policies attribute, with the addition of none-this-response.

This header is often utilized to prevent any cross-domain access when developers do not have the ability to create or modify a master policy file in the site root.

Examples

Disallowing cross-domain policy files
If you do not need to load application data in clients like Adobe Flash Player or Adobe Acrobat, the header should be set as:

http
X-Permitted-Cross-Domain-Policies: none

Specifications

Documented in the Adobe Cross Domain Policy File Specification.

How to Modify Header using Requestly

Requestly is a handy Chrome extension that enables you to modify HTTP headers, including the X Permitted Cross Domain Policies header. This helps you control cross-domain policies during development or testing to ensure your web application handles resource sharing securely. Steps to Modify X Permitted Cross Domain Policies Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter X-Permitted-Cross-Domain-Policies.
    • In the “Header Value” field, enter the policy value you want to enforce (e.g., none, master-only, by-content-type, or all).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-site.com/*).
  5. Save the rule.

After applying this rule, Requestly will add or override the X-Permitted-Cross-Domain-Policies header on matching requests, allowing you to test how your application enforces cross-domain policies and improve security configuration.