I came across cross-domain xml files on Vimeo and found that there are different policies on different directories.
One on https://vimeo.com/settings/crossdomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="none" secure="false"/>
<allow-http-request-headers-from domain="none" headers="*"/>
</cross-domain-policy>
Another on https://vimeo.com/crossdomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-content-type" />
</cross-domain-policy>
I want to know what factors will decide which policy will be prioritized? Can we say it is an overly-permissive crossdomain xml file?(seeing the first one)
Also, what does this line mean?
<site-control permitted-cross-domain-policies="by-content-type" />
