Add support for X-Permitted-Cross-Domain-Policies

[reedloden]

HTTP header used for informing Adobe products as to how to handle cross domain policies.

https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html

https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

Specifies the meta-policy. The default value is master-only for all policy files except socket policy files, where the default is all. Allowed values are:

• none: No policy files are allowed anywhere on the target server, including this master policy file.
• master-only: Only this master policy file is allowed.
• by-content-type: [HTTP/HTTPS only] Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.
• by-ftp-filename: [FTP only] Only policy files whose file names are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed.
• all: All policy files on this target domain are allowed.

[oreoshake]

Should the default be 'none'?

[stve]

It seems like 'none' would be the most secure. All others would assume the existence of a crossdomain.xml file which is probably outside the scope of this project.

[oreoshake]

Makes sense to me. Hmmm this could potentially break a lot of sites who wouldn't override the setting and needs it to function.

secure_headers 2.0 I guess.

[stve]

I would think that since you aren't changing the external API (code-wise, at least) a major version release wouldn't be necessary. Maybe the default should be nil? That way the header is only included when a value is assigned.

[reedloden]

For now, I think the best option is to not set this header by default but allow a user to set a specific value as needed.

[stve]

I see that a pre-release of 2.0 was just tagged, given the major version bump, is there interest in having this included as part of 2.0? If so, I'd be happy to put some effort towards it.

[oreoshake]

Yes please!