I think my checkin for Bug 628747 was slightly too large of a hammer -- it disables loads from data:URIs, too (e.g. <image xlink:href="data:image/png,etc/>), which don't suffer from the data leakage problem outlined in bug 628747 comment 0. data URIs also provide a way for authors to cope with bug 628747, to embed external resources (e.g. raster images) directly for legitimate (non-malicious) uses. bz suggests checking for URI_IS_LOCAL_RESOURCE -- that looks like it's what we want. I'm writing some more comprehensive tests at the moment, and then will post a patch.
Actually, rather than fixing this separately, I'm going to just back out bug 628747 and post/land a better fix there.