crossdomain.xml, quite a simple concept which most of the developers might have came through, though just for info :-
A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction.
Secure HLS streaming : https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/StreamingMediaGuide/UsingHTTPLiveStreaming/UsingHTTPLiveStreaming.html
The question :
I have a flash hls player (player.swf) that is on my site www.A.com. Now the request is being made to a media server www.B.com/playlist.m3u8 which is a secure hls request (AES-128 encrypted). The key url contained in playlist.m3u8 points to a web server www.C.com/keyPage.jsp
Now my player.swf ideally should call crossdomain.xml for both the servers while calling them and proceed with the subsequent calls, though in my case once the player receive the second crossdomain.xml from www.C.com it stops making any other call. However if I move the key delivery application from www.C.com to www.A.com it works fine.
I am really confused on such a behavior as according to the documents crossdomain.xml is used by destination server to validate a client which resides on some other server.So how does it matter if I am using multiple servers and providing crossdomain xml for all of them for a single flash application.
P.S. - I have tried the same process with different online hls players available and everyone of them depicts the same behavior
EDIT 1 Just for reference my crossdomain xml is
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>