CrossDomain.xml And ClientAccessPolicy.xml – Extremely Permissive

CrossDomain.xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="all"/>
  <allow-access-from domain="*" to-ports="*" secure="false"/>
  <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>

ClientAccessPolicy.xml

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="*"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

Some notes:
– Now days only Flash, Flex and Silverlight have any use for it.
encoding="utf-8", encoding="utf8", encoding="ISO-8859-1" or encoding="US-ASCII" doesn’t really matter. You should probabbly only use ASCII encoded files (4-bit).
– Serve your file with media-type (mimetype) HTTP header of Content-Type: text/x-cross-domain-policy,
(but text/plain, text/xml, application/xml or application/xhtml+xml would probably work too…)
– If you want to place those XML files anywhere- not only the root of the domain, but sub-domain or any path/sub-directory, you should make-sure your server sends X-Permitted-Cross-Domain-Policies HTTP header, with the value all, you only need to send it with the index and the xml files,
but you can send it with all of the resources using Header set X-Permitted-Cross-Domain-Policies "all" (APACHE/.htaccess) which may be more easy.

Alternative policy file-schemas
Generic DTD – http://www.adobe.com/xml/dtds/cross-domain-policy.dtd
Generic XSD – http://www.adobe.com/xml/schemas/PolicyFile.xsd
HTTP XSD – http://www.adobe.com/xml/schemas/PolicyFileHttp.xsd
HTTPS XSD – http://www.adobe.com/xml/schemas/PolicyFileHttps.xsd
FTP XSD – http://www.adobe.com/xml/schemas/PolicyFileFtp.xsd
Socket XSD – http://www.adobe.com/xml/schemas/PolicyFileSocket.xsd


For best results you can add your server some permissive HTTP CORS headers for a more modern, HTML5 permissive resource access.

CORS

Here are extremely permissive set of CORS HTTP headers,
in a .htaccess/APACHE compatible format.

If you’re using an old GoDaddy.com hosting you’ll need that first:

Header unset   Access-Control-Allow-Methods
Header unset   Access-Control-Allow-Origin
Header unset   Access-Control-Allow-Headers
Header unset   Access-Control-Expose-Headers
Header unset   Access-Control-Allow-Credentials
Header unset   Timing-Allow-Origin
Header unset   X-Permitted-Cross-Domain-Policies

This is what you’re looking for:

Header   set   Access-Control-Allow-Methods        "CONNECT,DELETE,GET,HEAD,OPTIONS,PATCH,PING,POST,PUT,TRACE"
Header   set   Access-Control-Allow-Origin         "*"
Header   set   Access-Control-Allow-Headers        "Accept,Accept-Charset,Accept-Encoding,Accept-Language,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Request-Headers,Access-Control-Request-Method,Alt-Svc,Cache-Control,Connection,Content-Description,Content-Encoding,Content-Language,Content-Length,Content-Security-Policy,Content-Transfer-Encoding,Content-Type,Cookie,Date,DNT,Downlink,DPR,Expires,Host,If-Modified-Since,Keep-Alive,Last-Event-ID,Last-Modified,Origin,P3P,Pragma,Referer,Referrer-Policy,Remote-Address,Save-Data,Server,Set-Cookie,Strict-Transport-Security,Timing-Allow-Origin,Transfer-Encoding,Upgrade-Insecure-Requests,User-Agent,Vary,Viewport-Width,Width,X-Backend-Server,X-Cache-Info,X-Content-Type-Options,X-CustomHeader,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Port,X-Forwarded-Proto,X-Forwarded-Server,X-Frame-Options,X-HTTP-Method-Override,X-Kuma-Revision,X-Modified,X-OTHER,X-Permitted-Cross-Domain-Policies,X-PING,X-PINGOTHER,X-Powered-By,X-Real-IP,X-Requested-With,X-XSS-Protection"
Header   set   Access-Control-Expose-Headers       "Accept,Accept-Charset,Accept-Encoding,Accept-Language,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Request-Headers,Access-Control-Request-Method,Alt-Svc,Cache-Control,Connection,Content-Description,Content-Encoding,Content-Language,Content-Length,Content-Security-Policy,Content-Transfer-Encoding,Content-Type,Cookie,Date,DNT,Downlink,DPR,Expires,Host,If-Modified-Since,Keep-Alive,Last-Event-ID,Last-Modified,Origin,P3P,Pragma,Referer,Referrer-Policy,Remote-Address,Save-Data,Server,Set-Cookie,Strict-Transport-Security,Timing-Allow-Origin,Transfer-Encoding,Upgrade-Insecure-Requests,User-Agent,Vary,Viewport-Width,Width,X-Backend-Server,X-Cache-Info,X-Content-Type-Options,X-CustomHeader,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Port,X-Forwarded-Proto,X-Forwarded-Server,X-Frame-Options,X-HTTP-Method-Override,X-Kuma-Revision,X-Modified,X-OTHER,X-Permitted-Cross-Domain-Policies,X-PING,X-PINGOTHER,X-Powered-By,X-Real-IP,X-Requested-With,X-XSS-Protection"
Header   set   Access-Control-Allow-Credentials    "true"
Header   set   Timing-Allow-Origin                 "*"
Header   set   X-Permitted-Cross-Domain-Policies   "all"

Note that both Access-Control-Allow-Headers and Access-Control-Expose-Headers lack the options of having * as a value, to this reason their value is quite a long string of the most common used HTTP header-names (collected by me…).
Some hosting/servers might have issues with such a long header-value,
you can try to split the value in half, using two headers
in some cases you’ll need to shorten things up,
in case the length of the HTTP header-value is too long for your server.

You could try splitting the value into two calls using add:

Header   add   Access-Control-Allow-Headers        "Accept,Accept-Charset,Accept-Encoding,Accept-Language,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Request-Headers,Access-Control-Request-Method,Alt-Svc,Cache-Control,Connection,Content-Description,Content-Encoding,Content-Language,Content-Length,Content-Security-Policy,Content-Transfer-Encoding,Content-Type,Cookie,Date,DNT,Downlink,DPR,Expires,Host,If-Modified-Since"
Header   add   Access-Control-Allow-Headers        "Keep-Alive,Last-Event-ID,Last-Modified,Origin,P3P,Pragma,Referer,Referrer-Policy,Remote-Address,Save-Data,Server,Set-Cookie,Strict-Transport-Security,Timing-Allow-Origin,Transfer-Encoding,Upgrade-Insecure-Requests,User-Agent,Vary,Viewport-Width,Width,X-Backend-Server,X-Cache-Info,X-Content-Type-Options,X-CustomHeader,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Port,X-Forwarded-Proto,X-Forwarded-Server,X-Frame-Options,X-HTTP-Method-Override,X-Kuma-Revision,X-Modified,X-OTHER,X-Permitted-Cross-Domain-Policies,X-PING,X-PINGOTHER,X-Powered-By,X-Real-IP,X-Requested-With,X-XSS-Protection"

Header   add   Access-Control-Expose-Headers       "Accept,Accept-Charset,Accept-Encoding,Accept-Language,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Request-Headers,Access-Control-Request-Method,Alt-Svc,Cache-Control,Connection,Content-Description,Content-Encoding,Content-Language,Content-Length,Content-Security-Policy,Content-Transfer-Encoding,Content-Type,Cookie,Date,DNT,Downlink,DPR,Expires,Host,If-Modified-Since"
Header   add   Access-Control-Expose-Headers       "Keep-Alive,Last-Event-ID,Last-Modified,Origin,P3P,Pragma,Referer,Referrer-Policy,Remote-Address,Save-Data,Server,Set-Cookie,Strict-Transport-Security,Timing-Allow-Origin,Transfer-Encoding,Upgrade-Insecure-Requests,User-Agent,Vary,Viewport-Width,Width,X-Backend-Server,X-Cache-Info,X-Content-Type-Options,X-CustomHeader,X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Port,X-Forwarded-Proto,X-Forwarded-Server,X-Frame-Options,X-HTTP-Method-Override,X-Kuma-Revision,X-Modified,X-OTHER,X-Permitted-Cross-Domain-Policies,X-PING,X-PINGOTHER,X-Powered-By,X-Real-IP,X-Requested-With,X-XSS-Protection"

And you can also simply remove some…


In additional to the permissive CORS HTTP Headers,
which will suite HTML5 and newer web-programming-
– you can add permissive CrossDomain.xml and ClientAccessPolicy.xml,
which will add support for Adobe (Macromedia) Flash, Flex and .NET’s Silverlight to your website.

And thanks to using X-Permitted-Cross-Domain-Policies set to all you will be able to place those two xml file in any sub-path you’ll like (normally they are limited root/sub-domain’s root).

JavaScript Snippet – Query For Accessible IFRAMEs

IFRAMEs with SRC attribute such as about:blank or javascript:true are called orgin-free IFRAMEs,
IFRAMEs whom which loads a page, which enables the CORS headers, are called origin-permissive.

Both kinds allow accessing the internal document element from another domain (such as the main-page),
If you ever wonder how to get a list of those documents from your-own page, the easy answer is you have to try and it out figure-out later.

This snippet tries (silently) to access the document of every IFRAME it finds under the input-window object,
and returns a list of those where it manage to do so, successfully.

function get_document(win){
  var doc = null;
  try{
    doc = win.document || win.contentDocument || win.contentWindow.document; /* try access reference of document */
  }catch(err){}
  return doc;
}

function get_accessible_iframes(win){
  win = "undefined" === typeof win ? self : win; /* normalize input */

  return win.document.querySelectorAll("iframe").filter(function(iframe){
                                                          return null !== get_document(iframe);
                                                       });
}

/*
get_accessible_iframes();     // same as `get_accessible_iframes(self);`
get_accessible_iframes(top);
*/

also available in this here: https://gist.github.com/eladkarako/2e2450fe6b2b01b3263f342519f5cd87

HTTP Non-Standard Methods

CONNECT
COPY
DELETE
GET
HEAD
LOCK
MKCOL
MOVE
OPTIONS
PATCH
PING
POST
PROPFIND
PROPPATCH
PUT
TRACE
UNLOCK
X-PINGOTHER

You might find it especially useful for CORS directive ,
Here is an example on how to use it for Access-Control-Allow-Methods (PHP):

<?php
header('Access-Control-Allow-Methods: CONNECT,COPY,DELETE,GET,HEAD,LOCK,MKCOL,MOVE,OPTIONS,PATCH,PING,POST,PROPFIND,PROPPATCH,PUT,TRACE,UNLOCK,X-PINGOTHER');
?>