As per the Adobe Crossdomain policy spec,
- The swf sees that there is a crossdomain policy specified.
- It checks the master policy file to see if the specified policy file is permitted.
- Since the specified master policy file is not permitted, it DEFAULTS to load the master policy file and grant permission accordingly.