X-Permitted-Cross-Domain-Policies

Enabled Smaller but still important security response headers.


The X-Permitted-Cross-Domain-Policies header is used to permit cross-domain requests from Flash and PDF documents. In most cases, these permissions are defined in an XML document called crossdomain.xml found in the root directory of the web page. For situations in which the root directory cannot be specified, however, this header can be used to define a desired meta policy. The X-Permitted-Cross-Domain-Policies header should ideally be set as restrictively as possible.

ℹ Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      xPermittedCrossDomainPolicies: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          xPermittedCrossDomainPolicies: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by xPermittedCrossDomainPolicies: false.

Default value

By default, Nuxt Security will set the following value for this header.

X-Permitted-Cross-Domain-Policies: none

Available values

The xPermittedCrossDomainPolicies header can be configured with following values.

xPermittedCrossDomainPolicies: 'none'
  | 'master-only'
  | 'by-content-type'
  | 'by-ftp-filename'
  | 'all'
  | false;

none

Will prevent the browser from MIME-sniffing a response away from the declared content-type.

master-only

Only this master policy file is allowed.

by-content-type

HTTP/HTTPS only Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.

by-ftp-filename

FTP only Only policy files whose filenames are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed.

all

All policy files on this target domain are allowed.