This one crept on me and while I thought I was on the right track it wasn’t until I came across a tech-note on Adobe’s site that finally led me down the right path which incidentally I only found by accident. The main issue was a SecurityViolation Error which is common place in dealing with accessing data in different domains. Usually we all know about this, and is fixed in implementing the correct subdomain accessor in the crossdomain.xml however even after it was deployed the app was still throwing this error, which made me now think the wildcard initiator doesn’t work as intended.

It turns out that not only does your crossdomain need to have the allow access from node, if the page and requested data use different protocols that a secure attribute must be added.

When your application is in HTTP and you want HTTPS data use:

allow-access-from domain=”*.mydomain.com” secure=”false”

WHen your application is in HTTPS and you want HTTP data use:

allow-access-from domain=”*.mydomain.com” secure=”true”