Allow cross-domain calls
APPLIES TO: All API Management tiers
Use the cross-domain
policy to make the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
Note
Set the policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.
Policy statement
<cross-domain>
<!-Policy configuration is in the Adobe cross-domain policy file format,
see https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf-->
</cross-domain>
Caution
Use the *
wildcard with care in policy settings. This configuration may be overly permissive and may make an API more vulnerable to certain API security threats.
Elements
Child elements must conform to the Adobe cross-domain policy file specification.
Usage
- Policy sections: inbound
- Policy scopes: global
- Gateways: classic, v2, consumption, self-hosted
Example
<cross-domain>
<cross-domain-policy>
<allow-http-request-headers-from domain='*' headers='*' />
</cross-domain-policy>
</cross-domain>
Related policies
Related content
For more information about working with policies, see:
- Tutorial: Transform and protect your API
- Policy reference for a full list of policy statements and their settings
- Policy expressions
- Set or edit policies
- Reuse policy configurations
- Policy snippets repo
- Azure API Management policy toolkit
- Author policies using Microsoft Copilot in Azure