For security reasons, a Macromedia Flash movie playing in a web browser is not allowed to access data that resides outside the exact web domain from which the SWF originated.
As an enhancement to Macromedia Flash Player 7, domains must be identical for data to be read. With this change a sub-domain can no longer read data from a parent domain and vice versa.
Cross-domain policy files
Another change to the Flash Player 7 framework is the use of cross-domain policy files. A policy file is a simple XML file that gives the Flash Player permission to access data from a given domain without displaying a security dialog. When placed on a server, it tells the Flash Player to allow direct access to data on that server, without prompting the user grant access.
The server can be in any location available to the Flash movie and does not have to be in the same domain. Cross-domain policy files, named crossdomain.xml, are placed at the root level of a server. When using a policy file you can use a wildcard character (*) in a domain name. For more information on policy files see Why Use Policy Files below.
Note: When serving a policy file, you must not use a cross-domain redirect, or the player will ignore the policy file.
Example: A public server that allows data access from any domain
Some sites are intended to be accessed by anyone. They contain publicly available data, such as news feeds and web services.
The Flash Player, and web browsers, generally disallow access to data outside the current domain. Because of this, a common practice is to deploy a proxy script on the server that hosts the Flash movie, which then requests data server-side before returning it to the movie.
This is a standard practice, but it requires the creator of the Flash movie create server-side logic just to access public data. If the public server has a policy file, all Flash movies can access its data without any additional server scripts.
A policy file that permits all domains to access it uses a wild card instead of specifying individual domains.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
It is saved as crossdomain.xml and placed on the site root of the public server.
Note: This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies.
Read more at official Adobe Knoweldge Base.