This is is what I found out in a furstrated afternoon. There might be wrog things due the cache. If people know about this more, please let me know.
This might work in AS2 and AS3. But it was tested on AS2 Flash9, under Flash Player 10 re32(debug).
How Flash security works between SWFs or SWF loading external images (JPG,PNG,more types?), understandble for everyone:
We have two files: master.swf and slave.swf.
master is on: 'http://www.exampleDomOne.com/master.swf';
master will load a file: http://www.exampleDomTwo.com/slave.swf";
If we place on master.swf:
Will allow a flash file loaded from that domain to access _root vars (but not _global?) vars from master.swf
If you place on slave.swf:
It will make ony the variables that are this.[var name] (you can ommit this) will be accessible from the clip that was used to load the swf file. but _root or _global vars will not be available.
Converting to Bitmap or using setMask() directly on those clips when no System.security.allowDomain is set in both files will result in error. But you can mask a holder. That means that if you have a clip(mc2) inside another clip(mc1). And you load an external file on mc2, you are not allowed to mask mc2 but you are mc1. Stupid huh?
What is adobe when they are thinkging about security?
If you want to load external images and you want to mask them, there is no need for crossdomain or Security stuff, just load them as usual and mask the holder. easy.
If you want to load a flash file securely in your online flash application. Don't use System.security.allowDomain();
Simple, not complicated.