OK - I finally found what the problem was! It turns out that the server that was serving up the crossdomain XML was returning it as type "application/x-httpd-php5-source". Turns out that Flash 9's new strict security policy will only accept crossdomain xml files that are content type "text/*" (any type of text), "application/xml", or "application/xhtml+xml". It is, of course, extremely difficult to identify this error because you need to have Flash 9 debugger version installed, policy file logging enabled, and you need to read your policy file log.

I've posted a more thorough explanation of the problem and solution on my blog: http://www.thecosmonaut.com/2008/08/...-policy-files/

Thanks for everyone's input!

Best,

--eric