Written by Ulises GascónApr 08, 2020 — 1 min read
Adobe Flash and Adobe Acrobat can load content from your domain even from other sites (in other words, cross-domain). This could cause unexpected data disclosure in rare cases or extra bandwidth usage.
X-Permitted-Cross-Domain-Policies header tells clients like Flash and Acrobat what cross-domain policies they can use. If you don’t want them to load data from your domain, set the header’s value to none. For example:
If Flash loads something from your site and sees that, it’ll know that it shouldn’t load data from your domain.
crossdomain middleware prevents Adobe Flash and Adobe Acrobat from loading content on your site.
const helmet = require('helmet') // Sets "X-Permitted-Cross-Domain-Policies: none" app.use(helmet.permittedCrossDomainPolicies())