Same-Origin Policy, CORS & crossdomain.xml – What you Need to Know

Reinhard Grandl
. 1 min read
cors crossdomain.xml

Nearly everyone, who works with video streaming will sooner or later face CORS & crossdomain.xml. But what’s it all about?
crossdoamin.xml and CORSTo get an idea of what CORS (Cross-Origin Resource Sharing) is, we have to start with the so called Same-Origin Policy which is a security concept for the web. Sounds sophisticated, but only makes sure a web browser permits scripts, contained in a web page to access data on another web page, but only if both web pages have the same origin. In other words, requests for data must come from the same scheme, hostname, and port. If https://player.example tries to request data from https://content.example, the request will usually fail.
After taking a second look it becomes clear that this prevents the unauthorized leakage of data to a third-party server. Without this policy, a script could read, use and forward data hosted on any web page. Such cross-domain activity might be used to exploit cookies and authentication data. Therefore, this security mechanism is definitely needed.


If you want to store content on a different origin than the one the player requests, there is a solution – CORS. In the context of XMLHttpRequests, it defines a set of headers that allow the browser and server to communicate which requests are permitted/prohibited. It is a recommended standard of the W3C. In practice, for a CORS request, the server only needs to add the following header to its response:

Access-Control-Allow-Origin: *

For more information on settings (e.g. GET/POST, custom headers, authentication, etc.) and examples, refer to


A cross-domain policy file is needed for Flash. It is an XML document that grants a web client, such as Adobe Flash Player permission to handle data across domains. A simple crossdomain.xml could look like this:
The crossdomain.xml example contains a single cross-domain-policy which allows access from every domain (wildcard in domain attribute) to the ports 80 and 443 (to-ports attribute). More information on settings and examples for such XML files, can be found at the related article from Adobe.


The bottom line is, that if a player has to load content from a different origin, we have to deal with the security concept called Same-Origin Policy. But, using mechanisms like CORS and the cross-domain policy file, we already have the solution in hand.
How to ensure the security of your content although cross-domain activity is allowed, is a whole different story and can be read about in our DRM section.
All the best,
a Bitmover called Reinhard.
Follow us on Twitter: @bitmovin

PS: If you want to encode MPEG-DASH & HLS content – check out our encoding section!

Reinhard Grandl

Reinhard Grandl

VP Product

Reinhard received his Master degree from the Alpen-Adria Universität Klagenfurt, specializing on Networked and Embedded Systems, in 2014 and joined Bitmovin in 2013 as part of the player department. Reinhard’s background includes positions in international research and development companies. As a product leader he has a proven track record of delivering products that exceed customer expectations and drive revenue growth. He is passionate about using technology to solve real-world problems.

Related Posts

CORS - Bitmovin

Open-Source vs. Commercial Players: Understanding the True Cost of Ownership

Join the conversation