Parameter:
DOMINO_PERMITTED_CROSS_DOMAIN_POLICIESShort description: Sets the
X-Permitted-Cross-Domain-Policies header for all HTTP responses – controls Adobe Flash/Acrobat cross-domain access.Profile
Parameter | DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES |
Category | HTTP / Web |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | Web Site / Internet Site document |
Possible values | none, master-only, by-content-type, all |
Description
Verify spelling. This header belongs to the family of Domino 12+ security headers (HCL KB0028803). The exact spelling of the notes.ini switch
DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES is not directly documented in official HCL KBs — a better-documented alternative is configuration via HTTP Response Header Rules in the Web Site document. Verify before production use.The
X-Permitted-Cross-Domain-Policies HTTP header defines which cross-domain policy files (crossdomain.xml) clients such as Adobe Flash or Acrobat are allowed to accept. For modern web applications, none is the safest value – it completely prevents cross-domain data requests via legacy plugins. For classic web security audits (Mozilla Observatory, securityheaders.com), setting this header is often required to achieve an A+ rating.Example configuration
DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES=none
Notes & pitfalls
- Takes effect only after
restart task http.
noneis the right choice for almost all modern applications;allonly in special cases with active Flash content.
- Applies globally to all HTTP responses; site-specific overrides are possible via Web Site Rule documents.
- Not a replacement for
Content-Security-Policy; the two headers have different protection goals.