X-Permitted-Cross-Domain-Policies
Enabled Smaller but still important security response headers.
The X-Permitted-Cross-Domain-Policies header is used to permit cross-domain requests from Flash and PDF documents. In most cases, these permissions are defined in an XML document called crossdomain.xml found in the root directory of the web page. For situations in which the root directory cannot be specified, however, this header can be used to define a desired meta policy. The X-Permitted-Cross-Domain-Policies header should ideally be set as restrictively as possible.
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({ // Global security: { headers: { xPermittedCrossDomainPolicies: <OPTIONS>, }, }, // Per route routeRules: { '/custom-route': { headers: { 'X-Permitted-Cross-Domain-Policies': <OPTIONS> }, } }})
You can also disable this header by xPermittedCrossDomainPolicies: false
.
Default value
By default, Nuxt Security will set following value for this header.
X-Permitted-Cross-Domain-Policies: none
Available values
The xPermittedCrossDomainPolicies
header can be configured with following values.
xPermittedCrossDomainPolicies: 'none' | 'master-only' | 'by-content-type' | 'by-ftp-filename' | 'all' | false;
none
Will prevent the browser from MIME-sniffing a response away from the declared content-type.
master-only
Only this master policy file is allowed.
by-content-type
HTTP/HTTPS only Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.
by-ftp-filename
FTP only Only policy files whose filenames are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed.
all
All policy files on this target domain are allowed.