HTTPS Everywhere rules often interfere with Adobe cross-domain policy mechanism
Adobe Flash Player defines a https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html cross-domain policy file mechanism for preventing cross-domain attacks involving Flash. The file is written in XML and placed in http://kb2.adobe.com/cps/142/tn_14213.html a file called crossdomain.xml at the root of a domain. Current versions of Flash Player will block some information flows unless they are explicitly permitted by the cross-domain policy file.
We've had several bugs (usually about video embedding) related to rewriting http://www.example.com/crossdomain.xml into https://www.example.com/crossdomain.xml. As I understand it, these bugs resulted from either (1) the HTTPS version not existing at all, or (2) the HTTPS version having different contents from the HTTP version, resulting in the end-user's Flash plugin not learning that a site had intended to permit an embedding-related action (and incorrectly blocking the action).
I don't think Flash Player treats cross-domain policy files loaded over HTTPS differently from those loaded over HTTP, and I don't think it forbids the files to be loaded over HTTPS, although both of these possibilities are worth checking into.
We would like to have a blanket solution for this category of errors (which might still be responsible for a number of our ongoing video embedding bugs), or at least a way to identify them quickly with automated testing.