This post is a reminder to myself (and a source of help to anyone who may need it). For a long time I thought a cross-domain policy file in a web server’s root directory solves all cross-domain security issues automagically – until I stumbled over the fact that I wasn’t able to manipulate the bitmap data of an image that was loaded from outside my SWF file’s domain.