I've delayed too long on this - we need to clean up CheckLoadURI. For starters, protocol handlers should be able to advertise their security requirements, rather than hardcoding them in ScriptSecurityManager. Secondly, I want to try to relax the local file loading restriction if we can do it without opening any holes. This will be a metabug for tracking CheckLoadURI related issues.
bug 165799 needs to be fixed before you relax file: URL restrictions.