Despite other answers suggesting something simple:
Security.loadPolicyFile("https://fbcdn-profile-a.akamaihd.net/crossdomain.xml");
This is not clear and not complete enough. Facebook has different image servers that I have come across before. This can be considered a Flash Player error, which I would accept, but as a security issue, I can understand that they do not allow redirection by default, since you yourself have to deal with it.
Now I use below. You are trying to execute your usual behavior, but wrap it in a try / catch for SecurityError. If someone is thrown, catch him, and if the loaderInfo domain is different from the domain you are requesting, you will run "Security.allowDomain" and "Security.loadPolicyFile" on it and try to download it again. This works great in practice, with only a small amount of overhead.
package { import flash.display.Loader; import flash.display.LoaderInfo; import flash.display.Sprite; import flash.events.Event; import flash.net.URLRequest; import flash.system.LoaderContext; import flash.system.Security; public class RedirectTest extends Sprite { private const url:String = 'https://graph.facebook.com/4/picture'; private const context:LoaderContext = new LoaderContext(true); public function RedirectTest() { var loader:Loader = new Loader(); loader.contentLoaderInfo.addEventListener(Event.COMPLETE, onComplete); loader.load(new URLRequest(this.url), this.context); } protected function onComplete(event:Event):void { try { this.addChild((event.target as LoaderInfo).content); } catch(error:SecurityError) { trace(error); var loaderInfo:LoaderInfo = (event.target as LoaderInfo); var loaderDomain:String = loaderInfo.loader.contentLoaderInfo.url; if(-1 == this.url.indexOf(loaderDomain)) { Security.loadPolicyFile(loaderDomain + 'crossdomain.xml'); if( 0 == loaderDomain.indexOf('https') ) { Security.allowDomain(loaderDomain); } else { Security.allowInsecureDomain(loaderDomain) } loaderInfo.loader.load(new URLRequest(this.url), this.context); return; } throw error; } } } }