What policy is enforced by an "empty" crossdomain.xml?
What policy would be enforced by the following crossdomain.xml that contains no allow statements.
<cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> </cross-domain-policy>
Does this implicitly deny or accept everything?
I haven't checked but since by default the requests are blocked, I'd say that that will also deny any request coming from a different subdomain (this depends on the Flash Player version though). I think FP7 blocked on the top level domain, and everything after that (FP8, FP9, FP10) block everything on the subdomain level.
Details on this can be found from Adobe http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html