After switching my AIR application into new AIR 2.5 SDK, boom! Every single URLRequest threw an IOErrorEvent. No other exception thrown. So I started digging in in order to find the cause and it appeared to be Security.loadPolicyFile() execution (I am reusing some libs containing these lines) that blocked it all quietly. First I tried to do try-catch block over it, but with no success. Than I just removed the lines for AIR project and voilà, everything back to normal again. URLRequests works again. It seems like AIR does not need loadPolicyFile() for URLRequests at all. Interesting that these loadPolicyFile() were targeting total different domain and were able to break any other requests.
I was about to publish an article about a bug in flash player, that loadPolicyFile() method fails when loading crossdomain policy files from a custom location (not domain root), but I soon realized that it is not a bug, but a feature :-).
It seems like flash player (WIN 10,1,50,426, debug) ignores crossdomain files loaded from a custom location. The documentation defines Security.loadPolicyFile() as a method to be used to download “cross-domain policy file from a location specified by the url parameter”, it does not work at all. Even the custom crossdomain.xml is requested (debuged with proxy software), the flash application somehow ignores it and tries to load crossdomain.xml file from a domain root. And if there is none on the domain root (why would it be, when you need to load custom one) all your loads results in security error.
After some investigation, I found out, that it is required to have a domain root crossdomain file that allows handling with cross-domain files located besides domain root via site-control element. Long story short, cross-domain security is an alchemy and one should read the whole specification. Long story even shorter, if you have no access to domain root (and there is no required crossdomain file with allow-access-from or site-control),
you are doomed (flash application will not let you handle file contents from the location) … please read the update part (not doomed at all)! Lets have a quick look at scenario with the site-control on domain root and allow-access-from on custom location: