I'm trying to get my Flex application to call a webservice on a remote Reporting Services instance, but am running up against insummountable problems with the Flash Player's cross-site scripting security.
Due to the way that Reporting Services works, there is no root folder (i.e. http://theserver/ doesn't actually exist anywhere in the filesystem) - so we cannot have a master policy file at that location.
However, we have been able - through extensive fiddling of the SSRS web.config - to get an XML and/or ASPX file into the http://myserver/ReportServer/ subfolder and have the "X-Permitted-Cross-Domain-Policies: all" HTTP header returned along with the content.
We are then calling Security.loadPolicyFile("http://theserver/ReportServer/crossdomain.xml") before we try and start calling the WebService.
We are then able to load the WebService description (GET /ReportServer/ReportService2005.asmx?wsdl). However, when we then try to make the actual call to the webservice - which is a HTTP POST of XML data to the same URL - /ReportServer/ReportService2005.asmx - we get the following errors in the Flex debugger (and the Flash Player log file):
Warning: Failed to load policy file from http://theserver/crossdomain.xml
Error: Request for resource at http://theserver/ReportServer/ReportService2005.asmx by requestor from http://localhost/modules/ReportsModule.swf is denied due to lack of policy file permissions.
*** Security Sandbox Violation ***
Are GET and POST requests handled differently, or is there something more sinister going on here? Can anyone think of a way to proceed in this investigation, apart from just giving up on Flash's ability to do anything cross-site, and writing our own Server-Side proxy for everything!