is the most restrictive policy in crossdomain.xml equivalent to not having at all?

Question

I can see on the logs of my server a few http 404 for [mydomain]/crossdomain.xml

I was wondering if to add therefore this file and configure it to have the most restrictive policy. That is: (taken from html 5 boilerplate)

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
-<cross-domain-policy> 
<!-- Read this: www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->

<!-- Most restrictive policy: -->
 <site-control permitted-cross-domain-policies="none"/> 
<!-- Least restrictive policy: -->

<!-- <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" to-ports="*" secure="false"/> <allow-http-request-headers-from domain="*" headers="*" secure="false"/> -->

<!-- If you host a crossdomain.xml file with allow-access-from domain="*" and don’t understand all of the points described here, you probably have a nasty security vulnerability. ~ simon willison -->
 </cross-domain-policy>

Would it be equivalent to not having at all ?

I find the http 404 errors related to crossdomain misleading and hence I want to get rid of them so I can identify the real ones more effectively.

Answer 1

Not quite. The spec states:

In other words, the root cross-domain policy does not contain allow-access-from directives or the HTTP headers. A meta-policy of “none” prevents the use of any other policies that may be present even if the developer included them. It is invalid to have allow-access-from or a header policy within a root cross-domain policy file with a meta-policy of “none”. In cases where an invalid policy has both a “none” setting and other directives, “none” takes precedence and no permissions are allowed on the site.

So, I think the most restrictive technique is to use "none".