CrossDomain.xml And ClientAccessPolicy.xml – Extremely Permissive


<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
  <site-control permitted-cross-domain-policies="all"/>
  <allow-access-from domain="*" to-ports="*" secure="false"/>
  <allow-http-request-headers-from domain="*" headers="*" secure="false"/>


<?xml version="1.0" encoding="utf-8"?>
      <allow-from http-request-headers="*">
        <domain uri="*"/>
        <resource path="/" include-subpaths="true"/>

Some notes:
– Now days only Flash, Flex and Silverlight have any use for it.
encoding="utf-8", encoding="utf8", encoding="ISO-8859-1" or encoding="US-ASCII" doesn’t really matter. You should probabbly only use ASCII encoded files (4-bit).
– Serve your file with media-type (mimetype) HTTP header of Content-Type: text/x-cross-domain-policy,
(but text/plain, text/xml, application/xml or application/xhtml+xml would probably work too…)
– If you want to place those XML files anywhere- not only the root of the domain, but sub-domain or any path/sub-directory, you should make-sure your server sends X-Permitted-Cross-Domain-Policies HTTP header, with the value all, you only need to send it with the index and the xml files,
but you can send it with all of the resources using Header set X-Permitted-Cross-Domain-Policies "all" (APACHE/.htaccess) which may be more easy.

Alternative policy file-schemas
Generic DTD –
Generic XSD –
Socket XSD –

For best results you can add your server some permissive HTTP CORS headers for a more modern, HTML5 permissive resource access.

  1. Pingback: CORS