Problems with cross-domain.xml files in Flash 10

I feel as though I am banging my head against a wall on this one. I have tried (I think) every variation on a cross-domain xml file with no success. I just cannot seem to make my cross-domain Loader() requests work, no matter what I try. Here is the output from my policyfiles.txt log file

OK: Root-level SWF loaded: http://cool.com:81/WEBPLAYERAS3.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/a61d36278cc44cd1a0b8fa10f3edc914.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/ba8d7a1701954a6cb03e7aaf12a26a2b.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/91f6f184518247f0916692286dd7101a.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
OK: Policy file accepted: https://replayservice2.secretdomain.com/crossdomain.xml
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/a61d36278cc44cd1a0b8fa10f3edc914.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
Error: Request for resource at h开发者_C百科ttps://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/ba8d7a1701954a6cb03e7aaf12a26a2b.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/91f6f184518247f0916692286dd7101a.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.
OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf
Error: Request for resource at https://replayservice2.secretdomain.com/api/servlet/screenshot/0.8/1.0/9175218823c9438aa322cdb767561dbd.jpg by requestor from http://cool.com:81/WEBPLAYERAS3.swf is denied due to lack of policy file permissions.

and here is my crossdomain.xml file:

<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*" secure="true"/>
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

Note that the actual domains have been replaced with secretdomain.com.

All I'm doing is retrieving images in AS3 and assigning them to bitmaps.

UPDATE:

The issue only seems to occur when calling our secure server from an insecure server. Is this just forbidden, or is there a way around this?

Your update there is the answer to your entire problem:
"The issue only seems to occur when calling our secure server from an insecure server. Is this just forbidden, or is there a way around this?"

Especially when we look at the important part of your policy file:

<allow-access-from domain="*" secure="true"/>

That 'secure=True' part means that you are quite specifically not allowed to call mix-n-match secured and unsecured connections, they have to all be secure. By having that 'true' value in there, you're the one who is forbidding it. The way around it is, of course, to set it to 'secure=False' as in several of the other policy files that have been posted here.

If u try to communicate from http port to https port you will get "swf is denied due to lack of policy file permissions " to avoid this type of errors you can include the following tag in crossdomain.xml

  < allow-access-from domain="*" secure="false" to-ports="*" > 

This solves "Security Sandbox Violation"

In case if you get a warning msg " does not specify a meta-policy. Applying default meta-policy 'master-only'." place the following tag in crossdomain.xml

 < site-control permitted-cross-domain-policies="all" > 

I've included our cross domain policy if it helps. The Only thing we do differently is the site-control tag.

<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <site-control permitted-cross-domain-policies="all"/> 
   <allow-http-request-headers-from domain="*"/> 
   <allow-access-from domain="*" secure="false" to-ports="*"/>
</cross-domain-policy>

I'm an ActionScript noobie, but does the Security.allowDomain("domain.com") do the trick?

I see in the stuff you posted

OK: Root-level SWF loaded: http://cool.com:81/WEBPLAYERAS3.swf

This tells me your swf is being loaded on port 81
What port are you dishing out the crossdomain on? This is very important that you have one on every port you are using.

Apart from setting the secure="false" in the 'allow-access-from' tag, also set secure="false" in the 'allow-http-request-headers-from' tag. Your crossdomain.xml should look like this-

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="SOAPAction"  secure="false"/>
</cross-domain-policy>