This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs. Content on an HTTP site should never be able to load content from an HTTPS location unless the HTTPS site has a policy file that explicitly allows that content's domain *and* uses the secure="false" attribute. It appears that currently - by default - HTTP content can load HTTPS content from the same domain. Caveat: I don't have access to the root directory of an SSL-enabled server, so I've been relying on the behavior of bug 1029253 (redirects) to reproduce. If we remedy that - and we implement metapolicy (bug 1029258) - I can revisit this.