We ran into a similar situation with having the crossdomain.xml policy file in a subdirectory of a site.
The phase 3 change that went into affect with FP10.02 requires the root directory of the site to have a meta policy file (policy file for policy files) that allows for the use of policy files in subdirectories. If it is missing then the site-control permitted-cross-domain-policies defaults to "master only", causing all other policy files to fail security check. Therefore, the crossdomain.xml meta policy file placed in the root directory will have the following: <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd <http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd> "> <cross-domain-policy> <!-- The crossdomain meta policy file must be copied to the root of your site --> <!-- Allow subsite policy files --> <site-control permitted-cross-domain-policies="all"/> </cross-domain-policy> Then the subdirectory policy files will look something like the following: <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd <http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd> "> <cross-domain-policy> <allow-access-from domain="YourDomainHere" to-ports="80" /> <!--above is best practice OR <allow-access-from domain="*" />--> <allow-http-request-headers-from domain="YourDomainHere" headers="*" /> <!--above is best practice OR <allow-http-request-headers-from domain="*" headers="*" />--> </cross-domain-policy> The important part is having the meta policy file in the root directory. Hope this helps, CJ