New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for X-Permitted-Cross-Domain-Policies #88
Comments
Should the default be 'none'? |
It seems like 'none' would be the most secure. All others would assume the existence of a crossdomain.xml file which is probably outside the scope of this project. |
Makes sense to me. Hmmm this could potentially break a lot of sites who wouldn't override the setting and needs it to function. secure_headers 2.0 I guess. |
I would think that since you aren't changing the external API (code-wise, at least) a major version release wouldn't be necessary. Maybe the default should be |
For now, I think the best option is to not set this header by default but allow a user to set a specific value as needed. |
I see that a pre-release of 2.0 was just tagged, given the major version bump, is there interest in having this included as part of 2.0? If so, I'd be happy to put some effort towards it. |
Yes please! |
HTTP header used for informing Adobe products as to how to handle cross domain policies.
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
The text was updated successfully, but these errors were encountered: