Adobe Flash Player uses its own security model. Flash Player default behavior is that cross-domain access is restricted by the same origin policy. Individual web sites can override this default behavior. To do so, the web site administrator creates a set of policy definitions in the site's crossdomain.xml file. The crossdomain.xml file lists the other domains that can access resources at or below the level where file exists. The domain being checked is the domain of the web page hosting the Flash SWF file or movie, not the domain that the Flash SWF came from. The crossdomain.xml file can also specify ports (e.g. port 80 for HTTP protocol, vs. port 443 for HTTPS) and can specify whether the Flash movie had to be retrieved securely.

Unless a domain is used exclusively for API access, you should not open up access with a root-level crossdomain.xml file, for security reasons. If the policy file is not at the root level of the web server, clients must explicitly load the relevant policy files.

Your site can automatically create a crossdomain.xml policy file for each of the APIs so that they can be accessed using Flash from other domains. To load the policy file for the CRConsAPI you would use a URL similar to this one:

https://secure2.convio.net/organization/site/CRConsAPI/crossdomain.xml

The list of sites allowed access by this policy is configured as a white list in the Open API Configuration settings screen. To configure it, log in as a site administrator, and from the Settings menu, select Site Options. When the Site Options page loads, click the Open API Configuration tab.

The policy for each API must be loaded separately by each Flash SWF that references it, and calls to the API from within Flash must include a trailing slash after the servlet name (e.g. CRConsAPI/?v=1.0, not CRConsAPI?v=1.0).