Similar to ‘crossdomain.xml’, Silverlight has some security features, this too is often noticeable by large number of HTTP 404 errors for a file named ‘clientaccesspolicy.xml’ in my webserver logs.

The most simple solution to the 404’s that restricts Silverlight is to add an empty file at the root of your websites.


Cross-Origin Resource Sharing (CORS) Header

Crossdomain access can be enabled in JavaScript with a mechanism similar to that in Flash. Instead of hosting a crossdomain.xml file though, crossdomain access is enabled per file, through an additional HTTP response header:

Access-Control-Allow-Origin: *

CORS is a more modern equivalent to JSONP for cross-domain XmlHttpRequests(AJAX) with options to limit domains, subdomains and ports.

Initial browser support:

  • Firefox 3.5
  • Chrome 4
  • Safari 3.2
  • MSIE 8



Adobe FlashPlayer 7 added several security features. I first became aware of this one as I saw a large number of HTTP 404 errors for a file named ‘crossdomain.xml’ in my webserver logs. (see also clientaccesspolicy.xml)

If you use flash on your website, I’d suggest adding an appropriate copy of this file to limit your exposure to some potential security issues.

Restricted domains

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
<allow-access-from domain="*" />
<allow-access-from domain="" />

Open to all domains (not recommended, but fully backward compatible)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>


Google Web Fonts

The use of non-traditional web fonts was once a very challenging task due to various browser specific implementations. Thankfully Google WebFonts have made this easy enough for most developers to add in a cross-browser manner in a matter of minutes.

WARNING, there are a few considerations to make here…

  1. Some browsers displays a blank space in place of the text that uses the font.
  2. … and then re-render text in the web font once it has loaded

Method 1: (most compatible, but cross-browser loading behavior varies)

<link href=',700' rel='stylesheet' type='text/css' />
<style type="text/css">
h1,p { font-family: 'Ubuntu', sans-serif; }

Method 2: (requires javascript, but is consistent cross-browser)

<script type="text/javascript">
WebFontConfig = {
google: { families: [ 'Ubuntu Mono','Ubuntu' ] }
(function() {
var wf = document.createElement('script');
wf.src = ('https:' == document.location.protocol ? 'https' : 'http') + '://';
wf.type = 'text/javascript';
wf.async = 'true';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wf, s);
<style type="text/css">
h1 { font-family: 'Ubuntu Mono','Courier New',monospace; }
p { font-family: 'Ubuntu','sans-serif'; }


Added in MSIE8 and Mozilla Firefox 3.6.9, Apple Safari 4, IE8, and Google Chrome 2 are several mechanisms to defend against cross-domain forgeries.

You can add to your website to make sure it is not embedded in a frame or iframe. This avoids clickjacking.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a “<frame>” or “<iframe>“. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Supported Values:

NOTE: “ALLOW-FROM” is supported in some browsers

You can explicitly set this value for ApacheHTTP in the httpd.conf file, your .htaccess files or code it into the page(s) by the application itself.

Example, add this to the apache config file:

Header always set X-Frame-Options DENY