Checking in two fixes on behalf of jesse@netscape.com:

88153 - keep javascript URLs in Page Info dialog from running with system principal
        by making the iframe's source about:blank initially and sandboxing it
        with type=content. sr=blake, r=mstoltz.
88417 - Disallow setting of location.host and other location subparts cross-domain
        r=mstoltz, sr=jst.

suite/browser/pageInfo.js

@@ -163,18 +163,31 @@ function makeImageTree(page, root)
 
 function onImageSelect()
 {
-  var tree = document.getElementById("imageTree");
   var imageFrame = document.getElementById("imageFrame");
+  imageFrame.setAttribute("src", "about:blank");
+
+  var tree = document.getElementById("imageTree");
 
   if (tree.selectedItems.length == 1)
   {
     var clickedRow = tree.selectedItems[0].firstChild;
     var firstCell = clickedRow.firstChild;
     var imageUrl = firstCell.getAttribute("label");
-    imageFrame.setAttribute("src", imageUrl);
+
+    /* The image has to be placed after a setTimeout because of bug 62517. */
+    setTimeout(placeImage, 0, imageFrame, imageUrl);
   }
 }
 
+function placeImage(imageFrame, imageUrl)
+{
+  var imageDoc = imageFrame.contentDocument;
+  var imageNode = imageDoc.createElement("img");
+  imageNode.setAttribute("src", imageUrl);
+
+  imageDoc.documentElement.appendChild(imageNode);
+}
+
 function BrowserClose()
 {
   window.close();

suite/browser/pageInfo.xul

@@ -139,7 +139,7 @@
       <splitter collapse="after" id="imageSplitter"/>
       
       <hbox id="imagePreviewContainer" flex="1">
-        <iframe id="imageFrame" class="inset" src="about:blank" flex="1"/>
+        <iframe id="imageFrame" class="inset" type="content" src="about:blank" flex="1"/>
       </hbox>
     </vbox>