diff --git a/xpinstall/src/nsJSInstallTriggerGlobal.cpp b/xpinstall/src/nsJSInstallTriggerGlobal.cpp
index 1b3e9f0d27c..df8ee72d0ad 100644
--- a/xpinstall/src/nsJSInstallTriggerGlobal.cpp
+++ b/xpinstall/src/nsJSInstallTriggerGlobal.cpp
@@ -143,6 +143,39 @@ static JSBool CreateNativeObject(JSContext *cx, JSObject *obj, nsIDOMInstallTrig
     return JS_TRUE;
 }
 
+//
+// Helper function for URI verification
+//
+static nsresult
+InstallTriggerCheckLoadURIFromScript(const nsAString& uriStr)
+{
+    nsresult rv;
+    nsCOMPtr<nsIScriptSecurityManager> secman(
+        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID,&rv));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    // get the script base URI
+    nsCOMPtr<nsIURI> scriptURI;
+    nsCOMPtr<nsIPrincipal> principal;
+    rv = secman->GetSubjectPrincipal(getter_AddRefs(principal));
+    NS_ENSURE_SUCCESS(rv, rv);
+    if (!principal)
+        return NS_ERROR_FAILURE;
+
+    rv = principal->GetURI(getter_AddRefs(scriptURI));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    // convert the requested URL string to a URI
+    nsCOMPtr<nsIURI> uri;
+    rv = NS_NewURI(getter_AddRefs(uri), uriStr);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    // are we allowed to load this one?
+    rv = secman->CheckLoadURI(scriptURI, uri,
+                    nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA);
+    return rv;
+}
+
 //
 // Native method UpdateEnabled
 //
@@ -215,11 +248,7 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
     }
   }
 
-  // if we can't create a security manager we might be in the wizard, allow
   PRBool abortLoad = PR_FALSE;
-  nsCOMPtr<nsIScriptSecurityManager> secman(
-      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
-
 
   // parse associative array of installs
   if ( argc >= 1 && JSVAL_IS_OBJECT(argv[0]) )
@@ -267,19 +296,6 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
                 xpiURL = NS_ConvertUTF8toUTF16(resolvedURL);
             }
 
-            // Make sure we're allowed to load this URL
-            if (secman)
-            {
-                nsCOMPtr<nsIURI> uri;
-                nsresult rv = NS_NewURI(getter_AddRefs(uri), xpiURL);
-                if (NS_SUCCEEDED(rv))
-                {
-                    rv = secman->CheckLoadURIFromScript(cx, uri);
-                    if (NS_FAILED(rv))
-                        abortLoad = PR_TRUE;
-                }
-            }
-
             nsAutoString icon(iconURL);
             if (iconURL && baseURL)
             {
@@ -288,13 +304,28 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
                 icon = NS_ConvertUTF8toUTF16(resolvedIcon);
             }
 
-            nsXPITriggerItem *item = new nsXPITriggerItem( name, xpiURL.get(), icon.get() );
-            if ( item )
-            {
-                trigger->Add( item );
-            }
-            else
+            // Make sure we're allowed to load this URL and the icon URL
+            nsresult rv = InstallTriggerCheckLoadURIFromScript(xpiURL);
+            if (NS_FAILED(rv))
                 abortLoad = PR_TRUE;
+
+            if (!abortLoad && iconURL)
+            {
+                rv = InstallTriggerCheckLoadURIFromScript(icon);
+                if (NS_FAILED(rv))
+                    abortLoad = PR_TRUE;
+            }
+
+            if (!abortLoad)
+            {
+                nsXPITriggerItem *item = new nsXPITriggerItem( name, xpiURL.get(), icon.get() );
+                if ( item )
+                {
+                    trigger->Add( item );
+                }
+                else
+                    abortLoad = PR_TRUE;
+            }
         }
         else
             abortLoad = PR_TRUE;
@@ -393,20 +424,9 @@ InstallTriggerGlobalInstallChrome(JSContext *cx, JSObject *obj, uintN argc, jsva
     }
 
     // Make sure caller is allowed to load this url.
-    // if we can't create a security manager we might be in the wizard, allow
-    nsCOMPtr<nsIScriptSecurityManager> secman(
-        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
-    if (secman)
-    {
-        nsCOMPtr<nsIURI> uri;
-        nsresult rv = NS_NewURI(getter_AddRefs(uri), sourceURL);
-        if (NS_SUCCEEDED(rv))
-        {
-            rv = secman->CheckLoadURIFromScript(cx, uri);
-            if (NS_FAILED(rv))
-                return JS_FALSE;
-        }
-    }
+    nsresult rv = InstallTriggerCheckLoadURIFromScript(sourceURL);
+    if (NS_FAILED(rv))
+        return JS_FALSE;
 
     if ( chromeType & CHROME_ALL )
     {
@@ -481,20 +501,9 @@ InstallTriggerGlobalStartSoftwareUpdate(JSContext *cx, JSObject *obj, uintN argc
     }
 
     // Make sure caller is allowed to load this url.
-    // if we can't create a security manager we might be in the wizard, allow
-    nsCOMPtr<nsIScriptSecurityManager> secman(
-        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
-    if (secman)
-    {
-        nsCOMPtr<nsIURI> uri;
-        nsresult rv = NS_NewURI(getter_AddRefs(uri), xpiURL);
-        if (NS_SUCCEEDED(rv))
-        {
-            rv = secman->CheckLoadURIFromScript(cx, uri);
-            if (NS_FAILED(rv))
-                return JS_FALSE;
-        }
-    }
+    nsresult rv = InstallTriggerCheckLoadURIFromScript(xpiURL);
+    if (NS_FAILED(rv))
+        return JS_FALSE;
 
     if (argc >= 2 && !JS_ValueToInt32(cx, argv[1], (int32 *)&flags))
     {