Same-Origin Policy, CORS & crossdomain.xml – What you Need to Know

Written by:
July 30th, 2015

Nearly everyone, who works with video streaming will sooner or later face CORS & crossdomain.xml. But what’s it all about?

crossdoamin.xml and CORSTo get an idea of what CORS (Cross-Origin Resource Sharing) is, we have to start with the so called Same-Origin Policy which is a security concept for the web. Sounds sophisticated, but only makes sure a web browser permits scripts, contained in a web page to access data on another web page, but only if both web pages have the same origin. In other words, requests for data must come from the same scheme, hostname, and port. If http://player.example tries to request data from http://content.example, the request will usually fail.

After taking a second look it becomes clear that this prevents the unauthorized leakage of data to a third-party server. Without this policy, a script could read, use and forward data hosted on any web page. Such cross-domain activity might be used to exploit cookies and authentication data. Therefore, this security mechanism is definitely needed.


If you want to store content on a different origin than the one the player requests, there is a solution – CORS. In the context of XMLHttpRequests, it defines a set of headers that allow the browser and server to communicate which requests are permitted/prohibited. It is a recommended standard of the W3C. In practice, for a CORS request, the server only needs to add the following header to its response:

Access-Control-Allow-Origin: *

For more information on settings (e.g. GET/POST, custom headers, authentication, etc.) and examples, refer to


A cross-domain policy file is needed for Flash. It is an XML document that grants a web client, such as Adobe Flash Player permission to handle data across domains. A simple crossdomain.xml could look like this:

The crossdomain.xml example contains a single cross-domain-policy which allows access from every domain (wildcard in domain attribute) to the ports 80 and 443 (to-ports attribute). More information on settings and examples for such XML files, can be found at the related article from Adobe.


The bottom line is, that if a player has to load content from a different origin, we have to deal with the security concept called Same-Origin Policy. But, using mechanisms like CORS and the cross-domain policy file, we already have the solution in hand.

How to ensure the security of your content although cross-domain activity is allowed, is a whole different story and can be read about in our DRM section.

All the best,
a Bitmover called Reinhard.

Follow us on Twitter: @bitmovin

PS: If you want to encode MPEG-DASH & HLS content – check out our encoding section!

Simple Share Buttons