X-Permitted-Cross-Domain-Policies & Referrer-Policy

Explore how to improve web application security using the X-Permitted-Cross-Domain-Policies header for controlling Adobe-related cross-domain requests and the Referrer-Policy header to protect user privacy by managing referrer information. Understand the limitations of relying on Referer and Origin headers for security and learn practical header configurations to mitigate risks.

We'll cover the following...

- Referrer-Policy
  - ℹ️ Origin and Referrer

Related to CORS, the X-Permitted-Cross-Domain-Policies targets cross-domain policies for Adobe products, namely Flash and Acrobat.

I won’t go too much into the details, as this is a header that targets very specific use cases, but, long story short, Adobe products handle cross-domain request through a crossdomain.xml file in the root of the domain the request is targeting. The X-Permitted-Cross-Domain-Policies defines policies to access this file.

Sounds complicated? I would simply suggest adding an X-Permitted-Cross-Domain-Policies: none and ignore clients wanting to make cross-domain requests with Flash.

In 2017, Adobe announced it would discontinue support for Flash, meaning you most ...

1.Introduction

2.Understanding The Browser

3.HTTP

4.Protection through HTTP Headers

5.HTTP Cookies

6.Situationals

7.DDoS Attacks

8.Bug Bounty Programs

9.Conclusion

Project

X-Permitted-Cross-Domain-Policies & Referrer-Policy