A Cross-domain policy file or crossdomain.xml is used by Adobe Flash in determining whether it is allowed to access resources from a domain other than that of the currently running Flash object.
The master cross domain policy file has to be located at the root of the server Eg. http://api.flickr.com/crossdomain.xml .
The root element of the crossdomain.xml file is the cross-domain-policy tag which can contain one of the following:
The allow-access-from element allows other domains to access resources. Attributes used with this element are domain (to specify a domain name; wildcards are supported), to-ports (to specify a comma-separated list or hyphenated-range of ports), secure (set to false for an HTTPS policy file to be used for allowing an HTTP request).
The site-control element is valid only within the master policy file (policy file located at the domain root). It is used to determine if other policy files other than the master policy file are permitted. The permitted-cross-domain-policies attribute is used in this tag with a value of: none, master-only, by-content-type, by-ftp-filename, and all. Using none prevents the user of any cross domain policy files for this domain, master-only specifies that only the policy file located at the root is permitted, by-content-type indicates that any file served via HTTP or HTTPS with a content type of text/x-cross-domain-policy is permitted, by-ftp-filename indicates that any file with the name crossdomain.xml is permitted, and all indicates that any policy file on the domain is allowed.
The allow-http-request-headers-from element allows a request from another domain to include custom headers. Attributes used within this element are domain (to specify a domain name), headers (to specify list of comma-separated headers, an asterisk or a header with a wildcard suffix), and secure (set to false for an HTTPS policy file to be used for allowing an HTTP request).
The following is an example of a cross domain policy file:
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="www.company.com" />
The cross domain policy file should be served with the MIME type of text/*, application/xml, or application/xhtml+xml, but the preferred content type is text/x-cross-domain-policy.