25 lines
1.1 KiB
Markdown
25 lines
1.1 KiB
Markdown
|
X-Permitted-Cross-Domain-Policies middleware
|
||
|
|
============================================
|
||
|
|
[](https://travis-ci.org/helmetjs/crossdomain)
|
||
|
|
|
||
|
|
The `X-Permitted-Cross-Domain-Policies` header tells some web clients (like Adobe Flash or Adobe Acrobat) your domain's policy for loading cross-domain content. See the description on [OWASP](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Permitted-Cross-Domain-Policies) for more.
|
||
|
|
|
||
|
|
Usage:
|
||
|
|
|
||
|
|
```javascript
|
||
|
|
const crossdomain = require('helmet-crossdomain')
|
||
|
|
|
||
|
|
// Sets X-Permitted-Cross-Domain-Policies: none
|
||
|
|
app.use(crossdomain())
|
||
|
|
|
||
|
|
// You can use any of the following values:
|
||
|
|
app.use(crossdomain({ permittedPolicies: 'none' }))
|
||
|
|
app.use(crossdomain({ permittedPolicies: 'master-only' }))
|
||
|
|
app.use(crossdomain({ permittedPolicies: 'by-content-type' }))
|
||
|
|
app.use(crossdomain({ permittedPolicies: 'all' }))
|
||
|
|
```
|
||
|
|
|
||
|
|
The `by-ftp-type` is not currently supported. Please open an issue or pull request if you desire this feature!
|
||
|
|
|
||
|
|
If you don't expect Adobe products to load data from your site, you get a minor security benefit by adding this header.
|