Fix ambiguous language around `crossdomain.xml` and `clientaccesspolicy.xml` recommendation

> These should not be present unless specifically needed.

https://github.com/mozilla/infosec.mozilla.org/blame/ea5e79e19ef49d73cfea8b77759384b543fe232c/docs/guidelines/web_security.md#L572

Does this mean the `crossdomain.xml` and `clientaccesspolicy.xml` files should not be present? I'm unclear if this is referring to the files or the files and the header.