The spec for cross domain policy files says that you can put a the crossdomain.xml file outside the root through the use of a X-Permitted-Cross-Domain-Policies header. How exactly does one go about doing that? I want to put a crossdomain.xml file in a sub directory (I don't have access to the root). This is from page 11 of the spec:

When clients require a policy file, they look at the root by default. A domain should always host a master policy file to enforce its intended meta-policy. If a client is instructed to load a policy file other than the master policy file, the client must still check the master policy file to ensure that the meta-policy defined by the master policy file permits the use of the originally requested policy file.

Without a master policy file, it is left to the client to enforce the default behavior. Instead of relying entirely on master policy files for meta-policies, clients may also decide to check for a X-Permitted-Cross-Domain-Policies header in documents to specify a meta-policy. In addition to the values acceptable in permitted-cross-domain-policies, this header may also use a value of none-this-response to indicate that the current document should not be used as a policy file despite other headers or its content. Non-master policy files can only grant access to data within their own directory or subdirectories.