Created attachment 532084 [details] [diff] [review] patch This seems to work (tested with the patch from bug 656433). Is it going to cause any security problems? I don't know!
Comment on attachment 532084 [details] [diff] [review] patch We actually depend on this code being the way it is to avoid running JS (even in a sandbox) in some contexts. I'd rather not change that behavior right now. For the bug 656433 thing, we'd want to get a null principal in docshell only.
Created attachment 532270 [details] [diff] [review] patch As discussed on IRC.
Created attachment 532274 [details] [diff] [review] patch, with tests
Comment on attachment 532274 [details] [diff] [review] patch, with tests r=me
Note that there's still a slight annoyance here: the JS loaded in this scenario still won't have an associated window object, so thing like e.g. "javsacript:alert(1+1)" still won't work. We should probably get a followup filed to run them against about:blank somehow.