Consider adding the parameters to URL instead of pushing them into POST request body. That is form the URL of the URLRequest however you want, so it will look like: domain/uploading-script?param=value&anotherParam=value You don't have to specify Security.allowDomain() for what you are doing, unless you need that for something else. The warning you are getting for your crossdomain means exactly this: crossdomain files which describe security policy for operations accomplished through HTTP are not allowed to have "secure" attribute because this attribute affects only the crossdomain policies for sockets (that is plain TCP connections not restricted to HTTP protocol). So far I can see from your code you are not adding any custom header, so, that's definitely not the problem with it, however, FileReference is known for not sending session cookies for example. I'm saying this just in case you googled for FileReference related problems and bumped into someone mentioning that - again, this is not your problem, or, at least this is not what seems to be you problem from how you describe it.
Best. Oleg

