Just got done spending my afternoon tracking this one down. Had a Flash app on one domain, calling some web services from another.
The crossdomain.xml policy file worked perfectly fine up until 18.104.22.168 (Which BTW gets automatically installed with the Mac OS 10.5.3 update), then stopped working.
Started getting the:
Request for resource at (url) by requestor from (url) is denied due to lack of policy file permissions.
Set up the policy logging, and found out the WSDLs were being loaded just fine, but everything failed when it came to actually calling a service.
Pored over the security article on Adobe’s site. Couldn’t find anything.
Finally ended up stumbling on this TechNote, which solved the problem for me.
After finding the problem, also saw the section in the Flash Player 9 Security PDF.
What was needed?
Needed to allow the SOAP headers.
Hopefully this might help someone else.