Start/notes.ini Parameters/DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES

DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES

🛠️
Parameter: DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES
Short description: Sets the X-Permitted-Cross-Domain-Policies header for all HTTP responses – controls Adobe Flash/Acrobat cross-domain access.

Profile

Parameter
DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES
Category
HTTP / Web
Component
Server
Available since
12.0
Supported versions
12.0, 14.0, 14.5, 14.5.1
GUI equivalent
Web Site / Internet Site document
Possible values
none, master-only, by-content-type, all

Description

The X-Permitted-Cross-Domain-Policies HTTP header defines which cross-domain policy files (crossdomain.xml) clients such as Adobe Flash or Acrobat are allowed to accept. For modern web applications, none is the safest value – it completely prevents cross-domain data requests via legacy plugins. For classic web security audits (Mozilla Observatory, securityheaders.com), setting this header is often required to achieve an A+ rating.

Example configuration

DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES=none

Notes & pitfalls

  • Takes effect only after restart task http.
  • none is the right choice for almost all modern applications; all only in special cases with active Flash content.
  • Applies globally to all HTTP responses; site-specific overrides are possible via Web Site Rule documents.
  • Not a replacement for Content-Security-Policy; the two headers have different protection goals.