Cross Domain Policy Test
Check whether a site restricts legacy cross-domain policy headers.
Powered by Geekflare Website Load Time API
What Is a Cross Domain Policy Test?
Cross Domain Policy Test checks whether a page sends X-Permitted-Cross-Domain-Policies. This header controls how legacy cross-domain policy files may be used by clients from the Flash and Silverlight era.
What the Tool Checks
| Check | Why It Matters |
|---|---|
| X-Permitted-Cross-Domain-Policies | Controls whether legacy cross-domain policy files can be used. |
| Policy value | none is the most restrictive. all is broad and should be reviewed. |
| Response headers | Shows all returned headers so you can compare CDN, server, and application behavior. |
How to Read the Results
If the result is Restrictive, the response uses none or master-only.
If the header is missing, add X-Permitted-Cross-Domain-Policies: none when legacy policy files should not be used. If the header is present with all or a conditional mode, confirm that legacy clients still need that behavior.
Note: This is not a CORS test. Modern browser cross-origin access is controlled by Access-Control-* headers; this tool focuses on the legacy cross-domain policy header only.
Frequently Asked Questions
It controls whether legacy clients may use cross-domain policy files such as crossdomain.xml. Modern web apps usually rely on CORS, but this header is still useful for header audits and legacy exposure reduction.
none is the most restrictive value because it disables policy files. master-only is also restrictive. Broader modes such as all should be reviewed carefully.
No. CORS uses Access-Control-* headers for modern browsers. This tool focuses only on the legacy X-Permitted-Cross-Domain-Policies header.