Flash security model
Flash® interacts with remote services to establish security according to the restrictions defined in the Flash policy file.
If a socket-based connection is to be used, for example Diffusion™ DPT type connection, the Flash player tries to get a policy file from the same host as you are trying to connect to but on port 843. If this port is not open through your firewalls or is not configured within the Diffusion connectors, the Flash player waits 2 seconds before requesting a policy file from the same port that you are trying to connect to. If the policy file request is not responded to correctly or the policy file has restricted the connection, the Flash player generates a security exception and the connection attempt stops.
If an HTTP connection is to be used, for example Diffusion HTTP type connection, a socket-based policy file is not required but a crossdomain.xml file might be required before the Diffusion connection is made.
Official Adobe documentation is available at the following location: Cross-domain policy file specification.
FlashPolicy.xml file
When is the FlashPolicy.xml used?
When a Diffusion DPT connection is used a socket connection is made, in order that the socket connection can be established a socket policy file must be acquired from port 843 or from the port that the Diffusion client is trying to connect to.
Again this is part of the cross-domain schema, but this time the to-ports attribute on the allow-access-from element is particularly important.
FlashMasterPolicy.xml file
Use of the FlashMasterPolicy file
<site-control permitted-cross-domain-policies="master-only" />The site-control element here specifies that only this master policy file is considered valid on this domain