diff --git a/mozilla/content/html/document/src/nsHTMLDocument.cpp b/mozilla/content/html/document/src/nsHTMLDocument.cpp
index 9ae8d879ace..020f430d628 100644
--- a/mozilla/content/html/document/src/nsHTMLDocument.cpp
+++ b/mozilla/content/html/document/src/nsHTMLDocument.cpp
@@ -65,6 +65,8 @@
 #include "nsDOMError.h"
 #include "nsICodebasePrincipal.h"
 #include "nsIScriptSecurityManager.h"
+#include "nsJSUtils.h"
+#include "nsDOMPropEnums.h"
 
 #include "nsIIOService.h"
 #include "nsICookieService.h"
@@ -2532,18 +2534,25 @@ nsHTMLDocument::FindNamedItem(nsIContent *aContent,
 }
 
 NS_IMETHODIMP    
-nsHTMLDocument::NamedItem(const nsString& aName, nsIDOMElement** aReturn)
+nsHTMLDocument::NamedItem(JSContext* cx, jsval* argv, PRUint32 argc, 
+                          jsval* aReturn)
 {
   nsresult result = NS_OK;
   nsIContent *content = nsnull;
 
+  if (argc < 1) 
+    return NS_ERROR_DOM_TOO_FEW_PARAMETERS_ERR;
+
+  char *str = JS_GetStringBytes(JS_ValueToString(cx, argv[0]));
+  nsAutoString name(str);
+
   // XXX If we have a parser, it means that we're still loading the
   // document. Since there's still content coming in (and not all
   // may yet have been explicitly added to the document), we do
   // a depth-first search rather than build up a table.
   // Obviously, this may be inefficient for large documents.
   if (nsnull != mParser) {
-    content = FindNamedItem(mRootContent, aName, PR_FALSE);
+    content = FindNamedItem(mRootContent, name, PR_FALSE);
   }
   else {
     // If the document has completed loading, we build a table and
@@ -2555,18 +2564,39 @@ nsHTMLDocument::NamedItem(const nsString& aName, nsIDOMElement** aReturn)
       RegisterNamedItems(mRootContent, PR_FALSE);
     }
 
-    char *str = aName.ToNewCString();
     content = (nsIContent *)PL_HashTableLookup(mNamedItems, str);
-    Recycle(str);
   }
 
+  nsIScriptContext *context = (nsIScriptContext*)JS_GetContextPrivate(cx);
+  JSObject *scriptObject;
+  result = GetScriptObject(context, (void **)&scriptObject);
+  if (NS_FAILED(result))
+    return result;
+
   if (nsnull != content) {
-    result = content->QueryInterface(kIDOMElementIID, (void **)aReturn);
+    nsIScriptSecurityManager *sm = nsJSUtils::nsGetSecurityManager(cx, scriptObject);
+    result = sm->CheckScriptAccess(cx, scriptObject, 
+                                   NS_DOM_PROP_NSHTMLFORMELEMENT_NAMEDITEM,
+                                   PR_FALSE);
+    if (NS_SUCCEEDED(result)) {
+      nsCOMPtr<nsIScriptObjectOwner> owner = do_QueryInterface(content);
+      JSObject* obj;
+  
+      result = owner->GetScriptObject(context, (void**)&obj);
+      if (NS_FAILED(result)) {
+        return result;
+      }
+      *aReturn = OBJECT_TO_JSVAL(obj);
+    }
+    return result;
   }
-  else {
-    *aReturn = nsnull;
+  nsISupports *supports;
+  result = this->QueryInterface(NS_GET_IID(nsISupports), (void **) &supports);
+  if (NS_SUCCEEDED(result)) {
+    result = nsJSUtils::nsCallJSScriptObjectGetProperty(supports, cx, scriptObject,
+                                                        argv[0], aReturn);
+    NS_RELEASE(supports);
   }
-
   return result;
 }
 
@@ -2621,29 +2651,15 @@ nsHTMLDocument::Resolve(JSContext *aContext, JSObject *aObj, jsval aID)
   }
 
   nsresult result;
-  nsCOMPtr<nsIDOMElement> element;
-  char* str = JS_GetStringBytes(JSVAL_TO_STRING(aID));
-  nsAutoString name(str); 
   PRBool ret = PR_TRUE;
+  jsval val = 0;
 
-  result = NamedItem(name, getter_AddRefs(element));
-  if (NS_SUCCEEDED(result) && element) {
-    nsCOMPtr<nsIScriptObjectOwner> owner = do_QueryInterface(element);
-    
-    if (owner) {
-      nsCOMPtr<nsIScriptContext> scriptContext;
-      nsLayoutUtils::GetStaticScriptContext(aContext, aObj,
-                                            getter_AddRefs(scriptContext));
-      if (scriptContext) {
-        JSObject* obj;
-        result = owner->GetScriptObject(scriptContext, (void**)&obj);
-        if (NS_SUCCEEDED(result) && obj) {
-          ret = ::JS_DefineProperty(aContext, aObj,
-                                    str, OBJECT_TO_JSVAL(obj),
-                                    nsnull, nsnull, 0);
-        }
-      }
-    }
+  result = NamedItem(aContext, &aID, 1, &val);
+  if (NS_SUCCEEDED(result) && val) {
+    char *str = JS_GetStringBytes(JSVAL_TO_STRING(aID));
+    ret = ::JS_DefineProperty(aContext, aObj,
+                              str, val,
+                              nsnull, nsnull, 0);
   }
   if (NS_FAILED(result)) {
     ret = PR_FALSE;
diff --git a/mozilla/docshell/base/nsWebShell.cpp b/mozilla/docshell/base/nsWebShell.cpp
index e3c2338c514..02c1f7e3444 100644
--- a/mozilla/docshell/base/nsWebShell.cpp
+++ b/mozilla/docshell/base/nsWebShell.cpp
@@ -1245,8 +1245,8 @@ nsWebShell::DoLoadURL(nsIURI * aUri,
   }
 
   // Fix for bug 1646.  Change the notion of current url and referrer only after
-  // the document load succeeds.
-  if (NS_SUCCEEDED(rv)) {
+  // the document load succeeds (but only if we're not targeting another window).
+  if (NS_SUCCEEDED(rv) && !aWindowTarget) {
     SetCurrentURI(aUri);
     SetReferrer(aReferrer);
   }
diff --git a/mozilla/dom/public/html/nsIDOMNSHTMLDocument.h b/mozilla/dom/public/html/nsIDOMNSHTMLDocument.h
index 7885c0debc2..e4239c17211 100644
--- a/mozilla/dom/public/html/nsIDOMNSHTMLDocument.h
+++ b/mozilla/dom/public/html/nsIDOMNSHTMLDocument.h
@@ -29,7 +29,6 @@
 #include "nsIScriptContext.h"
 #include "jsapi.h"
 
-class nsIDOMElement;
 class nsIDOMEvent;
 class nsIDOMHTMLCollection;
 
@@ -64,7 +63,7 @@ public:
 
   NS_IMETHOD    GetSelection(nsString& aReturn)=0;
 
-  NS_IMETHOD    NamedItem(const nsString& aName, nsIDOMElement** aReturn)=0;
+  NS_IMETHOD    NamedItem(JSContext* cx, jsval* argv, PRUint32 argc, jsval* aReturn)=0;
 
   NS_IMETHOD    Open(JSContext* cx, jsval* argv, PRUint32 argc)=0;
 
@@ -97,7 +96,7 @@ public:
   NS_IMETHOD    GetEmbeds(nsIDOMHTMLCollection** aEmbeds);  \
   NS_IMETHOD    GetPlugins(nsIDOMHTMLCollection** aPlugins);  \
   NS_IMETHOD    GetSelection(nsString& aReturn);  \
-  NS_IMETHOD    NamedItem(const nsString& aName, nsIDOMElement** aReturn);  \
+  NS_IMETHOD    NamedItem(JSContext* cx, jsval* argv, PRUint32 argc, jsval* aReturn);  \
   NS_IMETHOD    Open(JSContext* cx, jsval* argv, PRUint32 argc);  \
   NS_IMETHOD    Write(JSContext* cx, jsval* argv, PRUint32 argc);  \
   NS_IMETHOD    Writeln(JSContext* cx, jsval* argv, PRUint32 argc);  \
@@ -123,7 +122,7 @@ public:
   NS_IMETHOD    GetEmbeds(nsIDOMHTMLCollection** aEmbeds) { return _to GetEmbeds(aEmbeds); } \
   NS_IMETHOD    GetPlugins(nsIDOMHTMLCollection** aPlugins) { return _to GetPlugins(aPlugins); } \
   NS_IMETHOD    GetSelection(nsString& aReturn) { return _to GetSelection(aReturn); }  \
-  NS_IMETHOD    NamedItem(const nsString& aName, nsIDOMElement** aReturn) { return _to NamedItem(aName, aReturn); }  \
+  NS_IMETHOD    NamedItem(JSContext* cx, jsval* argv, PRUint32 argc, jsval* aReturn) { return _to NamedItem(cx, argv, argc, aReturn); }  \
   NS_IMETHOD    Open(JSContext* cx, jsval* argv, PRUint32 argc) { return _to Open(cx, argv, argc); }  \
   NS_IMETHOD    Write(JSContext* cx, jsval* argv, PRUint32 argc) { return _to Write(cx, argv, argc); }  \
   NS_IMETHOD    Writeln(JSContext* cx, jsval* argv, PRUint32 argc) { return _to Writeln(cx, argv, argc); }  \
diff --git a/mozilla/dom/public/idl/html/HTMLDocument.idl b/mozilla/dom/public/idl/html/HTMLDocument.idl
index 8c1746b55ad..1f25287859b 100644
--- a/mozilla/dom/public/idl/html/HTMLDocument.idl
+++ b/mozilla/dom/public/idl/html/HTMLDocument.idl
@@ -37,7 +37,7 @@
      readonly attribute HTMLCollection plugins;
 
      wstring getSelection();
-     Element namedItem(in wstring name);
+     jsval namedItem(/* ... */);
 
      void                      open(/* ... */);
      void                      write(/* ... */);
diff --git a/mozilla/dom/src/html/nsJSHTMLDocument.cpp b/mozilla/dom/src/html/nsJSHTMLDocument.cpp
index e78c4a61545..43ab9cb3283 100644
--- a/mozilla/dom/src/html/nsJSHTMLDocument.cpp
+++ b/mozilla/dom/src/html/nsJSHTMLDocument.cpp
@@ -399,33 +399,12 @@ GetHTMLDocumentProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
   }
 
   if (checkNamedItem) {
-    nsIDOMElement* prop;
     nsIDOMNSHTMLDocument* b;
-    nsAutoString name;
-
-    JSString *jsstring = JS_ValueToString(cx, id);
-    if (nsnull != jsstring) {
-      name.SetString(JS_GetStringChars(jsstring));
-    }
-    else {
-      name.SetString("");
-    }
-
+    nsresult result = NS_OK;
     if (NS_OK == a->QueryInterface(kINSHTMLDocumentIID, (void **)&b)) {
-      nsresult result = NS_OK;
-      result = b->NamedItem(name, &prop);
-      if (NS_SUCCEEDED(result)) {
-        NS_RELEASE(b);
-        if (NULL != prop) {
-            // get the js object
-            nsJSUtils::nsConvertObjectToJSVal((nsISupports *)prop, cx, obj, vp);
-        }
-        else {
-          return nsJSUtils::nsCallJSScriptObjectGetProperty(a, cx, obj, id, vp);
-        }
-      }
-      else {
-        NS_RELEASE(b);
+      result = b->NamedItem(cx, &id, 1, vp);
+      NS_RELEASE(b);
+      if (NS_FAILED(result)) {
         return nsJSUtils::nsReportError(cx, obj, result);
       }
     }
@@ -833,8 +812,7 @@ NSHTMLDocumentNamedItem(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, j
     return nsJSUtils::nsReportError(cx, obj, NS_ERROR_DOM_WRONG_TYPE_ERR);
   }
 
-  nsIDOMElement* nativeRet;
-  nsAutoString b0;
+  jsval nativeRet;
   // If there's no private data, this must be the prototype, so ignore
   if (!nativeThis) {
     return JS_TRUE;
@@ -849,18 +827,13 @@ NSHTMLDocumentNamedItem(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, j
     if (NS_FAILED(result)) {
       return nsJSUtils::nsReportError(cx, obj, result);
     }
-    if (argc < 1) {
-      return nsJSUtils::nsReportError(cx, obj, NS_ERROR_DOM_TOO_FEW_PARAMETERS_ERR);
-    }
 
-    nsJSUtils::nsConvertJSValToString(b0, cx, argv[0]);
-
-    result = nativeThis->NamedItem(b0, &nativeRet);
+    result = nativeThis->NamedItem(cx, argv+0, argc-0, &nativeRet);
     if (NS_FAILED(result)) {
       return nsJSUtils::nsReportError(cx, obj, result);
     }
 
-    nsJSUtils::nsConvertObjectToJSVal(nativeRet, cx, obj, rval);
+    *rval = nativeRet;
   }
 
   return JS_TRUE;
@@ -1232,7 +1205,7 @@ static JSFunctionSpec HTMLDocumentMethods[] =
   {"getElementById",          HTMLDocumentGetElementById,     1},
   {"getElementsByName",          HTMLDocumentGetElementsByName,     1},
   {"getSelection",          NSHTMLDocumentGetSelection,     0},
-  {"namedItem",          NSHTMLDocumentNamedItem,     1},
+  {"namedItem",          NSHTMLDocumentNamedItem,     0},
   {"open",          NSHTMLDocumentOpen,     0},
   {"write",          NSHTMLDocumentWrite,     0},
   {"writeln",          NSHTMLDocumentWriteln,     0},
diff --git a/mozilla/layout/generic/nsFrameFrame.cpp b/mozilla/layout/generic/nsFrameFrame.cpp
index b33ba64a81c..b3e645fcfa2 100644
--- a/mozilla/layout/generic/nsFrameFrame.cpp
+++ b/mozilla/layout/generic/nsFrameFrame.cpp
@@ -998,21 +998,17 @@ nsHTMLFrameInnerFrame::ReloadURL()
           }
         }
 
-        nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(mSubShell));
-        NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
+        nsCOMPtr<nsIWebShell> webShell(do_QueryInterface(mSubShell));
+        NS_ENSURE_TRUE(webShell, NS_ERROR_FAILURE);
 
-        rv = webNav->LoadURI(absURL.GetUnicode()); // URL string with a default nsnull value for post Data
-/*
-XXX no webshell to call LoadURL on, webNav doesn't have a referrer arg
         // load with an URL string with a default nsnull value for post Data
-        rv = mWebShell->LoadURL(absURL.GetUnicode(),
-                                nsnull, PR_TRUE,
-                                nsIChannel::LOAD_NORMAL,
-                                0,
-                                nsnull,
-                                referrer.Length() > 0 ? referrer.GetUnicode()
-                                                      : nsnull);
-*/
+        rv = webShell->LoadURL(absURL.GetUnicode(),
+                               nsnull, PR_TRUE,
+                               nsIChannel::LOAD_NORMAL,
+                               0,
+                               nsnull,
+                               referrer.Length() > 0 ? referrer.GetUnicode()
+                                                     : nsnull);
       }
     } else {
       mCreatingViewer = PR_TRUE;
diff --git a/mozilla/layout/html/document/src/nsFrameFrame.cpp b/mozilla/layout/html/document/src/nsFrameFrame.cpp
index b33ba64a81c..b3e645fcfa2 100644
--- a/mozilla/layout/html/document/src/nsFrameFrame.cpp
+++ b/mozilla/layout/html/document/src/nsFrameFrame.cpp
@@ -998,21 +998,17 @@ nsHTMLFrameInnerFrame::ReloadURL()
           }
         }
 
-        nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(mSubShell));
-        NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
+        nsCOMPtr<nsIWebShell> webShell(do_QueryInterface(mSubShell));
+        NS_ENSURE_TRUE(webShell, NS_ERROR_FAILURE);
 
-        rv = webNav->LoadURI(absURL.GetUnicode()); // URL string with a default nsnull value for post Data
-/*
-XXX no webshell to call LoadURL on, webNav doesn't have a referrer arg
         // load with an URL string with a default nsnull value for post Data
-        rv = mWebShell->LoadURL(absURL.GetUnicode(),
-                                nsnull, PR_TRUE,
-                                nsIChannel::LOAD_NORMAL,
-                                0,
-                                nsnull,
-                                referrer.Length() > 0 ? referrer.GetUnicode()
-                                                      : nsnull);
-*/
+        rv = webShell->LoadURL(absURL.GetUnicode(),
+                               nsnull, PR_TRUE,
+                               nsIChannel::LOAD_NORMAL,
+                               0,
+                               nsnull,
+                               referrer.Length() > 0 ? referrer.GetUnicode()
+                                                     : nsnull);
       }
     } else {
       mCreatingViewer = PR_TRUE;
diff --git a/mozilla/layout/html/document/src/nsHTMLDocument.cpp b/mozilla/layout/html/document/src/nsHTMLDocument.cpp
index 9ae8d879ace..020f430d628 100644
--- a/mozilla/layout/html/document/src/nsHTMLDocument.cpp
+++ b/mozilla/layout/html/document/src/nsHTMLDocument.cpp
@@ -65,6 +65,8 @@
 #include "nsDOMError.h"
 #include "nsICodebasePrincipal.h"
 #include "nsIScriptSecurityManager.h"
+#include "nsJSUtils.h"
+#include "nsDOMPropEnums.h"
 
 #include "nsIIOService.h"
 #include "nsICookieService.h"
@@ -2532,18 +2534,25 @@ nsHTMLDocument::FindNamedItem(nsIContent *aContent,
 }
 
 NS_IMETHODIMP    
-nsHTMLDocument::NamedItem(const nsString& aName, nsIDOMElement** aReturn)
+nsHTMLDocument::NamedItem(JSContext* cx, jsval* argv, PRUint32 argc, 
+                          jsval* aReturn)
 {
   nsresult result = NS_OK;
   nsIContent *content = nsnull;
 
+  if (argc < 1) 
+    return NS_ERROR_DOM_TOO_FEW_PARAMETERS_ERR;
+
+  char *str = JS_GetStringBytes(JS_ValueToString(cx, argv[0]));
+  nsAutoString name(str);
+
   // XXX If we have a parser, it means that we're still loading the
   // document. Since there's still content coming in (and not all
   // may yet have been explicitly added to the document), we do
   // a depth-first search rather than build up a table.
   // Obviously, this may be inefficient for large documents.
   if (nsnull != mParser) {
-    content = FindNamedItem(mRootContent, aName, PR_FALSE);
+    content = FindNamedItem(mRootContent, name, PR_FALSE);
   }
   else {
     // If the document has completed loading, we build a table and
@@ -2555,18 +2564,39 @@ nsHTMLDocument::NamedItem(const nsString& aName, nsIDOMElement** aReturn)
       RegisterNamedItems(mRootContent, PR_FALSE);
     }
 
-    char *str = aName.ToNewCString();
     content = (nsIContent *)PL_HashTableLookup(mNamedItems, str);
-    Recycle(str);
   }
 
+  nsIScriptContext *context = (nsIScriptContext*)JS_GetContextPrivate(cx);
+  JSObject *scriptObject;
+  result = GetScriptObject(context, (void **)&scriptObject);
+  if (NS_FAILED(result))
+    return result;
+
   if (nsnull != content) {
-    result = content->QueryInterface(kIDOMElementIID, (void **)aReturn);
+    nsIScriptSecurityManager *sm = nsJSUtils::nsGetSecurityManager(cx, scriptObject);
+    result = sm->CheckScriptAccess(cx, scriptObject, 
+                                   NS_DOM_PROP_NSHTMLFORMELEMENT_NAMEDITEM,
+                                   PR_FALSE);
+    if (NS_SUCCEEDED(result)) {
+      nsCOMPtr<nsIScriptObjectOwner> owner = do_QueryInterface(content);
+      JSObject* obj;
+  
+      result = owner->GetScriptObject(context, (void**)&obj);
+      if (NS_FAILED(result)) {
+        return result;
+      }
+      *aReturn = OBJECT_TO_JSVAL(obj);
+    }
+    return result;
   }
-  else {
-    *aReturn = nsnull;
+  nsISupports *supports;
+  result = this->QueryInterface(NS_GET_IID(nsISupports), (void **) &supports);
+  if (NS_SUCCEEDED(result)) {
+    result = nsJSUtils::nsCallJSScriptObjectGetProperty(supports, cx, scriptObject,
+                                                        argv[0], aReturn);
+    NS_RELEASE(supports);
   }
-
   return result;
 }
 
@@ -2621,29 +2651,15 @@ nsHTMLDocument::Resolve(JSContext *aContext, JSObject *aObj, jsval aID)
   }
 
   nsresult result;
-  nsCOMPtr<nsIDOMElement> element;
-  char* str = JS_GetStringBytes(JSVAL_TO_STRING(aID));
-  nsAutoString name(str); 
   PRBool ret = PR_TRUE;
+  jsval val = 0;
 
-  result = NamedItem(name, getter_AddRefs(element));
-  if (NS_SUCCEEDED(result) && element) {
-    nsCOMPtr<nsIScriptObjectOwner> owner = do_QueryInterface(element);
-    
-    if (owner) {
-      nsCOMPtr<nsIScriptContext> scriptContext;
-      nsLayoutUtils::GetStaticScriptContext(aContext, aObj,
-                                            getter_AddRefs(scriptContext));
-      if (scriptContext) {
-        JSObject* obj;
-        result = owner->GetScriptObject(scriptContext, (void**)&obj);
-        if (NS_SUCCEEDED(result) && obj) {
-          ret = ::JS_DefineProperty(aContext, aObj,
-                                    str, OBJECT_TO_JSVAL(obj),
-                                    nsnull, nsnull, 0);
-        }
-      }
-    }
+  result = NamedItem(aContext, &aID, 1, &val);
+  if (NS_SUCCEEDED(result) && val) {
+    char *str = JS_GetStringBytes(JSVAL_TO_STRING(aID));
+    ret = ::JS_DefineProperty(aContext, aObj,
+                              str, val,
+                              nsnull, nsnull, 0);
   }
   if (NS_FAILED(result)) {
     ret = PR_FALSE;
diff --git a/mozilla/modules/libpref/src/init/all.js b/mozilla/modules/libpref/src/init/all.js
index dab949cd1cf..014d588c7d8 100644
--- a/mozilla/modules/libpref/src/init/all.js
+++ b/mozilla/modules/libpref/src/init/all.js
@@ -416,6 +416,18 @@ pref("security.policy.default.nshtmldocument.writeln", "sameOrigin");
 
 pref("security.policy.default.eventtarget.addeventlistener", "sameOrigin");
 
+pref("security.policy.default.element.getattribute", "sameOrigin");
+pref("security.policy.default.element.getattributenode", "sameOrigin");
+pref("security.policy.default.element.getelementsbytagname", "sameOrigin");
+pref("security.policy.default.element.normalize", "sameOrigin");
+pref("security.policy.default.element.removeattribute", "sameOrigin");
+pref("security.policy.default.element.removeattributenode", "sameOrigin");
+pref("security.policy.default.element.setattribute", "sameOrigin");
+pref("security.policy.default.element.setattributenode", "sameOrigin");
+pref("security.policy.default.element.tagname", "sameOrigin");
+
+pref("security.policy.default.nshtmlformelement.nameditem", "sameOrigin");
+
 pref("security.policy.default.history.current.read", "UniversalBrowserRead");
 pref("security.policy.default.history.next.read", "UniversalBrowserRead");
 pref("security.policy.default.history.previous.read", "UniversalBrowserRead");
diff --git a/mozilla/webshell/src/nsWebShell.cpp b/mozilla/webshell/src/nsWebShell.cpp
index e3c2338c514..02c1f7e3444 100644
--- a/mozilla/webshell/src/nsWebShell.cpp
+++ b/mozilla/webshell/src/nsWebShell.cpp
@@ -1245,8 +1245,8 @@ nsWebShell::DoLoadURL(nsIURI * aUri,
   }
 
   // Fix for bug 1646.  Change the notion of current url and referrer only after
-  // the document load succeeds.
-  if (NS_SUCCEEDED(rv)) {
+  // the document load succeeds (but only if we're not targeting another window).
+  if (NS_SUCCEEDED(rv) && !aWindowTarget) {
     SetCurrentURI(aUri);
     SetReferrer(aReferrer);
   }