Note that nsFrameLoader::LoadFrame (no idea if that's really the code used by xul:iframe.src="foo") uses nsScriptSecurityManager::CheckLoadURI while nsXMLDocument::Load uses nsScriptSecurityManager::CheckConnect
CheckLoadURI goes down to file: being PrefControlled, but should it really be for a chome:// referer? I'm quite hesitant to set that pref, or even to recommend setting that pref to others using my test app. Axel
