It is not required to be in the root of the web server. That's just where it looks for it by default. When the app initializes, the developer can make a call to Security.loadPolicyFile().See:http://livedocs.adobe.com/flex/3/langref/flash/system/Security.html#loadPolicyFile()You'll still need to have a small crossdomain.xml file in the root of the web server that says it's OK to use policy files from other places on your server. This is called the master policy file. It would look like this:<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>
You can get more info on this at (page 7 and 11 of the pdf):http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html