diff --git a/mozilla/caps/include/nsScriptSecurityManager.h b/mozilla/caps/include/nsScriptSecurityManager.h
index 62288387388..84f321baf29 100644
--- a/mozilla/caps/include/nsScriptSecurityManager.h
+++ b/mozilla/caps/include/nsScriptSecurityManager.h
@@ -52,6 +52,7 @@
 #include "nsCOMPtr.h"
 #include "nsIPrefService.h"
 #include "nsISecurityPref.h"
+#include "nsIChannelEventSink.h"
 #include "nsIJSContextStack.h"
 #include "nsIObserver.h"
 #include "pldhash.h"
@@ -346,6 +347,7 @@ private:
 
 class nsScriptSecurityManager : public nsIScriptSecurityManager,
                                 public nsIPrefSecurityCheck,
+                                public nsIChannelEventSink,
                                 public nsIObserver
 {
 public:
@@ -357,6 +359,7 @@ public:
     NS_DECL_NSISCRIPTSECURITYMANAGER
     NS_DECL_NSIXPCSECURITYMANAGER
     NS_DECL_NSIPREFSECURITYCHECK
+    NS_DECL_NSICHANNELEVENTSINK
     NS_DECL_NSIOBSERVER
 
     static nsScriptSecurityManager*
diff --git a/mozilla/caps/src/nsScriptSecurityManager.cpp b/mozilla/caps/src/nsScriptSecurityManager.cpp
index 98e040e518d..c3cb69ac4b2 100644
--- a/mozilla/caps/src/nsScriptSecurityManager.cpp
+++ b/mozilla/caps/src/nsScriptSecurityManager.cpp
@@ -428,10 +428,11 @@ DeleteDomainEntry(nsHashKey *aKey, void *aData, void* closure)
 ////////////////////////////////////
 // Methods implementing ISupports //
 ////////////////////////////////////
-NS_IMPL_ISUPPORTS4(nsScriptSecurityManager,
+NS_IMPL_ISUPPORTS5(nsScriptSecurityManager,
                    nsIScriptSecurityManager,
                    nsIXPCSecurityManager,
                    nsIPrefSecurityCheck,
+                   nsIChannelEventSink,
                    nsIObserver)
 
 ///////////////////////////////////////////////////
@@ -2872,6 +2873,25 @@ nsScriptSecurityManager::CanAccessSecurityPreferences(PRBool* _retval)
     return IsCapabilityEnabled("CapabilityPreferencesAccess", _retval);  
 }
 
+/////////////////////////////////////////////
+// Method implementing nsIChannelEventSink //
+/////////////////////////////////////////////
+NS_IMETHODIMP
+nsScriptSecurityManager::OnChannelRedirect(nsIChannel* oldChannel, 
+                                           nsIChannel* newChannel,
+                                           PRUint32 redirFlags)
+{
+    nsCOMPtr<nsIURI> oldURI, newURI;
+    oldChannel->GetURI(getter_AddRefs(oldURI));
+    newChannel->GetURI(getter_AddRefs(newURI));
+
+    NS_ENSURE_STATE(oldURI && newURI);
+
+    const PRUint32 flags = nsIScriptSecurityManager::DISALLOW_FROM_MAIL |
+                           nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA;
+    return CheckLoadURI(oldURI, newURI, flags);
+}
+
 
 /////////////////////////////////////
 // Method implementing nsIObserver //
diff --git a/mozilla/caps/src/nsSecurityManagerFactory.cpp b/mozilla/caps/src/nsSecurityManagerFactory.cpp
index 67fff2c4247..ff249e5e352 100644
--- a/mozilla/caps/src/nsSecurityManagerFactory.cpp
+++ b/mozilla/caps/src/nsSecurityManagerFactory.cpp
@@ -53,6 +53,7 @@
 #include "nsIServiceManager.h"
 #include "nsString.h"
 #include "nsPrefsCID.h"
+#include "nsNetCID.h"
 
 ///////////////////////
 // nsSecurityNameSet //
@@ -422,6 +423,20 @@ static const nsModuleComponentInfo capsComponentInfo[] =
       nsIClassInfo::MAIN_THREAD_ONLY
     },
 
+    { NS_SCRIPTSECURITYMANAGER_CLASSNAME,
+      NS_SCRIPTSECURITYMANAGER_CID,
+      NS_GLOBAL_CHANNELEVENTSINK_CONTRACTID,
+      Construct_nsIScriptSecurityManager,
+      RegisterSecurityNameSet,
+      nsnull,
+      nsnull,
+      nsnull,
+      nsnull,
+      nsnull,
+      nsIClassInfo::MAIN_THREAD_ONLY
+    },
+
+
 
     { NS_PRINCIPAL_CLASSNAME, 
       NS_PRINCIPAL_CID, 
diff --git a/mozilla/netwerk/build/nsNetCID.h b/mozilla/netwerk/build/nsNetCID.h
index 9cabc1ce0cd..0b59f5a4375 100644
--- a/mozilla/netwerk/build/nsNetCID.h
+++ b/mozilla/netwerk/build/nsNetCID.h
@@ -746,4 +746,16 @@
     {0xa1, 0x6c, 0x00, 0x50, 0x04, 0x1c, 0xaf, 0x44} \
 }
 
+/******************************************************************************
+ * Contracts that can be implemented by necko users.
+ */
+
+/**
+ * This contract ID will be gotten as a service and gets the opportunity to look
+ * at and veto all redirects that are processed by necko.
+ */
+#define NS_GLOBAL_CHANNELEVENTSINK_CONTRACTID \
+  "@mozilla.org/netwerk/global-channel-event-sink;1"
+
+
 #endif // nsNetCID_h__
diff --git a/mozilla/netwerk/protocol/http/src/Makefile.in b/mozilla/netwerk/protocol/http/src/Makefile.in
index d2069270cac..e101cebca6d 100644
--- a/mozilla/netwerk/protocol/http/src/Makefile.in
+++ b/mozilla/netwerk/protocol/http/src/Makefile.in
@@ -54,8 +54,6 @@ REQUIRES	= xpcom \
 		  intl \
 		  unicharutil \
 		  caps \
-		  xpconnect \
-		  js \
 		  uconv \
 		  $(NULL)
 
diff --git a/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp b/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp
index 7d445903047..ddb267bb55a 100644
--- a/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp
+++ b/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp
@@ -52,7 +52,6 @@
 #include "nsXPCOM.h"
 #include "nsISupportsPrimitives.h"
 #include "nsIURL.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsIIDNService.h"
 #include "nsIStreamListenerTee.h"
 #include "nsISeekableStream.h"
@@ -2036,16 +2035,6 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
                            getter_AddRefs(newURI));
     if (NS_FAILED(rv)) return rv;
 
-    // verify that this is a legal redirect
-    nsCOMPtr<nsIScriptSecurityManager> securityManager = 
-             do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-    if (securityManager) {
-        rv = securityManager->CheckLoadURI(mURI, newURI,
-                                           nsIScriptSecurityManager::DISALLOW_FROM_MAIL |
-                                           nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA);
-        if (NS_FAILED(rv)) return rv;
-    }
-
     // Kill the current cache entry if we are redirecting
     // back to ourself.
     PRBool redirectingBackToSameURI = PR_FALSE;
@@ -2083,6 +2072,20 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
     rv = SetupReplacementChannel(newURI, newChannel, preserveMethod);
     if (NS_FAILED(rv)) return rv;
 
+    PRUint32 redirectFlags;
+    if (redirectType == 301) // Moved Permanently
+        redirectFlags = nsIChannelEventSink::REDIRECT_PERMANENT;
+    else
+        redirectFlags = nsIChannelEventSink::REDIRECT_TEMPORARY;
+
+    // verify that this is a legal redirect
+    nsCOMPtr<nsIChannelEventSink> globalObserver = 
+             do_GetService(NS_GLOBAL_CHANNELEVENTSINK_CONTRACTID);
+    if (globalObserver) {
+        rv = globalObserver->OnChannelRedirect(this, newChannel, redirectFlags);
+        if (NS_FAILED(rv)) return rv;
+    }
+
     // call out to the event sink to notify it of this redirection.
     nsCOMPtr<nsIHttpEventSink> httpEventSink;
     GetCallback(httpEventSink);
@@ -2095,12 +2098,7 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
     nsCOMPtr<nsIChannelEventSink> channelEventSink;
     GetCallback(channelEventSink);
     if (channelEventSink) {
-        PRUint32 flags;
-        if (redirectType == 301) // Moved Permanently
-            flags = nsIChannelEventSink::REDIRECT_PERMANENT;
-        else
-            flags = nsIChannelEventSink::REDIRECT_TEMPORARY;
-        rv = channelEventSink->OnChannelRedirect(this, newChannel, flags);
+        rv = channelEventSink->OnChannelRedirect(this, newChannel, redirectFlags);
         if (NS_FAILED(rv)) return rv;
     }
     // XXX we used to talk directly with the script security manager, but that