diff --git a/mozilla/caps/src/nsScriptSecurityManager.cpp b/mozilla/caps/src/nsScriptSecurityManager.cpp
index c61bd598a9e..6841aae551e 100644
--- a/mozilla/caps/src/nsScriptSecurityManager.cpp
+++ b/mozilla/caps/src/nsScriptSecurityManager.cpp
@@ -1990,16 +1990,15 @@ nsScriptSecurityManager::IsCapabilityEnabled(const char *capability,
     nsresult rv;
     JSStackFrame *fp = nsnull;
     JSContext *cx = GetCurrentJSContext();
-    fp = cx ? JS_FrameIterator(cx, &fp) : nsnull;
-    if (!fp)
+    if (!cx)
     {
-        // No script code on stack. Allow execution.
+        // No context reachable. Allow execution.
         *result = PR_TRUE;
         return NS_OK;
     }
     *result = PR_FALSE;
     nsCOMPtr<nsIPrincipal> previousPrincipal;
-    do
+    while ((fp = JS_FrameIterator(cx, &fp)) != nsnull)
     {
         nsCOMPtr<nsIPrincipal> principal;
         if (NS_FAILED(GetFramePrincipal(cx, fp, getter_AddRefs(principal))))
@@ -2031,7 +2030,7 @@ nsScriptSecurityManager::IsCapabilityEnabled(const char *capability,
         if (NS_FAILED(rv)) return rv;
         if (*result)
             return NS_OK;
-    } while ((fp = JS_FrameIterator(cx, &fp)) != nsnull);
+    }
 
     if (!previousPrincipal)
     {
diff --git a/mozilla/dom/src/base/nsGlobalWindow.cpp b/mozilla/dom/src/base/nsGlobalWindow.cpp
index 44773e33696..e8e095ff45a 100644
--- a/mozilla/dom/src/base/nsGlobalWindow.cpp
+++ b/mozilla/dom/src/base/nsGlobalWindow.cpp
@@ -3356,8 +3356,31 @@ GlobalWindowImpl::Open(nsIDOMWindow **_retval)
     return NS_OK; // don't open the window, but also don't throw a JS exception
   }
 
+  // If we're called from chrome, push our context onto the context
+  // stack. This is so that opening a window from chrome by calling
+  // open() on a non-chrome window doesn't allow chrome-only features
+  // on the new window (opened through this non-chrome window).
+  nsCOMPtr<nsIJSContextStack> stack;
+
+  if (IsCallerChrome() && mContext) {
+    stack = do_GetService(sJSStackContractID);
+
+    JSContext *my_cx = NS_REINTERPRET_CAST(JSContext *,
+                                           mContext->GetNativeContext());
+
+    if (stack && my_cx) {
+      stack->Push(my_cx);
+    } else {
+      stack = nsnull;
+    }
+  }
+
   rv = OpenInternal(url, name, options, PR_FALSE, nsnull, 0, nsnull, _retval);
 
+  if (stack) {
+    stack->Pop(nsnull);
+  }
+
   nsCOMPtr<nsIDOMChromeWindow> chrome_win(do_QueryInterface(*_retval));
 
   if (NS_SUCCEEDED(rv)) {
diff --git a/mozilla/xpfe/browser/resources/content/navigator.js b/mozilla/xpfe/browser/resources/content/navigator.js
index 70d7751c47c..89fcd038d6f 100644
--- a/mozilla/xpfe/browser/resources/content/navigator.js
+++ b/mozilla/xpfe/browser/resources/content/navigator.js
@@ -2239,7 +2239,10 @@ function createShowPopupsMenu(parent) {
 function popupBlockerMenuCommand(target) {
   var uri = target.getAttribute("uri");
   if (uri) {
-    window.open(uri, "", target.getAttribute("features"));
+    // Make sure we use the content window to open the popup to
+    // prevent it from being able to set flags it shoudn't be able to
+    // set.
+    window.content.open(uri, "", target.getAttribute("features"));
   }
 }