Master policy file vs. crossdomain.xml in subdirectories

Question

I have a swf on localhost which tries to read a text file from another server - example.com. The text file is in a subdirectory as follows: example.com/test/example.txt

First here are the contents of the root and the sub-sirectory:

www.example.com:

/crossdomain.xml

<?xml version="1.0"?>   
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="master-only"/> 
    <allow-access-from domain="*" secure="false" />
</cross-domain-policy>

/test/crossdomain.xml

<?xml version="1.0"?>   
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*"/>
</cross-domain-policy>

/test/example.txt

Now if I explicitly mention in my actionscript as follows:

Security.loadPolicyFile("http://example.com/test/crossdomain.xml");

And then load: http://example.com/test/example.txt in the actionscript. Now the first action should be to check the master policy file under root to check if its meta-policy allows the loading of the crossdomain.xml from the test folder. Since here the meta-policy specifies "master-only", I am assuming the policy file specified by security.loadpolicyfile(), will not be loaded. But my question is after this check will the master policy file allow the access request of the text file from the test folder because of the policy <allow-access-from domain="*" secure="false" /> specified in the master policy file?

Answer 1

As per the Adobe Crossdomain policy spec,

1. The swf sees that there is a crossdomain policy specified.
2. It checks the master policy file to see if the specified policy file is permitted.
3. Since the specified master policy file is not permitted, it DEFAULTS to load the master policy file and grant permission accordingly.