diff --git a/mozilla/caps/src/nsScriptSecurityManager.cpp b/mozilla/caps/src/nsScriptSecurityManager.cpp
index 34eb9a5c3f3..4dfe17aa3e1 100644
--- a/mozilla/caps/src/nsScriptSecurityManager.cpp
+++ b/mozilla/caps/src/nsScriptSecurityManager.cpp
@@ -1392,11 +1392,11 @@ nsScriptSecurityManager::GetSecurityLevel(nsIPrincipal *principal,
 	nsresult rv;
     mIsAccessingPrefs = PR_TRUE;
     rv = mPrefs->CopyCharPref(prefName, &secLevelString);
-    mIsAccessingPrefs = PR_FALSE;
     if (NS_FAILED(rv)) {
         prefName += (isWrite ? ".write" : ".read");
         rv = mPrefs->CopyCharPref(prefName, &secLevelString);
     }
+    mIsAccessingPrefs = PR_FALSE;
     if (NS_SUCCEEDED(rv) && secLevelString) {
         if (PL_strcmp(secLevelString, "sameOrigin") == 0)
             secLevel = SCRIPT_SECURITY_SAME_DOMAIN_ACCESS;
@@ -1637,6 +1637,7 @@ nsScriptSecurityManager::EnumeratePolicyCallback(const char *prefName,
 {
     if (!prefName || !*prefName)
         return;
+
     nsScriptSecurityManager *mgr = (nsScriptSecurityManager *) data;
     unsigned count = 0;
     const char *dots[5];
diff --git a/mozilla/content/html/document/src/nsHTMLContentSink.cpp b/mozilla/content/html/document/src/nsHTMLContentSink.cpp
index 9ae5aac2482..0c1c4f1b721 100644
--- a/mozilla/content/html/document/src/nsHTMLContentSink.cpp
+++ b/mozilla/content/html/document/src/nsHTMLContentSink.cpp
@@ -3374,6 +3374,17 @@ HTMLContentSink::ProcessAREATag(const nsIParserNode& aNode)
 void 
 HTMLContentSink::ProcessBaseHref(const nsString& aBaseHref)
 {
+  //-- Make sure this page is allowed to load this URL
+  nsresult rv;
+  NS_WITH_SERVICE(nsIScriptSecurityManager, securityManager, 
+                  NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
+  if (NS_FAILED(rv)) return;
+  nsCOMPtr<nsIURI> baseHrefURI;
+  rv = NS_NewURI(getter_AddRefs(baseHrefURI), aBaseHref, nsnull);
+  if (NS_FAILED(rv)) return;
+  rv = securityManager->CheckLoadURI(mDocumentBaseURL, baseHrefURI, PR_FALSE);
+  if (NS_FAILED(rv)) return;
+
   if (nsnull == mBody) {  // still in real HEAD
     mHTMLDocument->SetBaseURL(aBaseHref);
     NS_RELEASE(mDocumentBaseURL);
diff --git a/mozilla/content/html/style/src/nsCSSLoader.cpp b/mozilla/content/html/style/src/nsCSSLoader.cpp
index 96cb97303ff..927396fcdf2 100644
--- a/mozilla/content/html/style/src/nsCSSLoader.cpp
+++ b/mozilla/content/html/style/src/nsCSSLoader.cpp
@@ -50,6 +50,7 @@
 #include "nsVoidArray.h"
 #include "nsISupportsArray.h"
 #include "nsCOMPtr.h"
+#include "nsIScriptSecurityManager.h"
 
 #include <iostream.h>
 
@@ -1281,6 +1282,17 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
   if (! mDocument) {
     return NS_ERROR_NOT_INITIALIZED;
   }
+  
+  //-- Make sure this page is allowed to load this URL
+  nsresult rv;
+  NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
+  if (NS_FAILED(rv)) return rv;
+  nsIURI* docURI;
+  rv = mDocument->GetBaseURL(docURI);
+  if (NS_FAILED(rv) || !docURI) return NS_ERROR_FAILURE;
+  rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE);
+  NS_IF_RELEASE(docURI);
+  if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
 
   // XXX need to add code to cancel any pending sheets for element
   nsresult result = NS_ERROR_NULL_POINTER;
diff --git a/mozilla/layout/html/document/src/nsHTMLContentSink.cpp b/mozilla/layout/html/document/src/nsHTMLContentSink.cpp
index 9ae5aac2482..0c1c4f1b721 100644
--- a/mozilla/layout/html/document/src/nsHTMLContentSink.cpp
+++ b/mozilla/layout/html/document/src/nsHTMLContentSink.cpp
@@ -3374,6 +3374,17 @@ HTMLContentSink::ProcessAREATag(const nsIParserNode& aNode)
 void 
 HTMLContentSink::ProcessBaseHref(const nsString& aBaseHref)
 {
+  //-- Make sure this page is allowed to load this URL
+  nsresult rv;
+  NS_WITH_SERVICE(nsIScriptSecurityManager, securityManager, 
+                  NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
+  if (NS_FAILED(rv)) return;
+  nsCOMPtr<nsIURI> baseHrefURI;
+  rv = NS_NewURI(getter_AddRefs(baseHrefURI), aBaseHref, nsnull);
+  if (NS_FAILED(rv)) return;
+  rv = securityManager->CheckLoadURI(mDocumentBaseURL, baseHrefURI, PR_FALSE);
+  if (NS_FAILED(rv)) return;
+
   if (nsnull == mBody) {  // still in real HEAD
     mHTMLDocument->SetBaseURL(aBaseHref);
     NS_RELEASE(mDocumentBaseURL);
diff --git a/mozilla/layout/html/style/src/nsCSSLoader.cpp b/mozilla/layout/html/style/src/nsCSSLoader.cpp
index 96cb97303ff..927396fcdf2 100644
--- a/mozilla/layout/html/style/src/nsCSSLoader.cpp
+++ b/mozilla/layout/html/style/src/nsCSSLoader.cpp
@@ -50,6 +50,7 @@
 #include "nsVoidArray.h"
 #include "nsISupportsArray.h"
 #include "nsCOMPtr.h"
+#include "nsIScriptSecurityManager.h"
 
 #include <iostream.h>
 
@@ -1281,6 +1282,17 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
   if (! mDocument) {
     return NS_ERROR_NOT_INITIALIZED;
   }
+  
+  //-- Make sure this page is allowed to load this URL
+  nsresult rv;
+  NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
+  if (NS_FAILED(rv)) return rv;
+  nsIURI* docURI;
+  rv = mDocument->GetBaseURL(docURI);
+  if (NS_FAILED(rv) || !docURI) return NS_ERROR_FAILURE;
+  rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE);
+  NS_IF_RELEASE(docURI);
+  if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
 
   // XXX need to add code to cancel any pending sheets for element
   nsresult result = NS_ERROR_NULL_POINTER;
diff --git a/mozilla/layout/style/nsCSSLoader.cpp b/mozilla/layout/style/nsCSSLoader.cpp
index 96cb97303ff..927396fcdf2 100644
--- a/mozilla/layout/style/nsCSSLoader.cpp
+++ b/mozilla/layout/style/nsCSSLoader.cpp
@@ -50,6 +50,7 @@
 #include "nsVoidArray.h"
 #include "nsISupportsArray.h"
 #include "nsCOMPtr.h"
+#include "nsIScriptSecurityManager.h"
 
 #include <iostream.h>
 
@@ -1281,6 +1282,17 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
   if (! mDocument) {
     return NS_ERROR_NOT_INITIALIZED;
   }
+  
+  //-- Make sure this page is allowed to load this URL
+  nsresult rv;
+  NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv);
+  if (NS_FAILED(rv)) return rv;
+  nsIURI* docURI;
+  rv = mDocument->GetBaseURL(docURI);
+  if (NS_FAILED(rv) || !docURI) return NS_ERROR_FAILURE;
+  rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE);
+  NS_IF_RELEASE(docURI);
+  if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
 
   // XXX need to add code to cancel any pending sheets for element
   nsresult result = NS_ERROR_NULL_POINTER;
diff --git a/mozilla/modules/libpref/src/init/all.js b/mozilla/modules/libpref/src/init/all.js
index 1ee7053ac7a..fdfa0985564 100644
--- a/mozilla/modules/libpref/src/init/all.js
+++ b/mozilla/modules/libpref/src/init/all.js
@@ -440,6 +440,8 @@ pref("security.policy.default.element.setattribute", "sameOrigin");
 pref("security.policy.default.element.setattributenode", "sameOrigin");
 pref("security.policy.default.element.tagname", "sameOrigin");
 
+pref("security.policy.default.htmlelement.innerhtml", "sameOrigin");
+
 pref("security.policy.default.nshtmlformelement.nameditem", "sameOrigin");
 
 pref("security.policy.default.history.current.read", "UniversalBrowserRead");