If the allowed script origin is set to "document" (same host), and when fetching the script a redirect to a different host occurs, the script is still loaded. The URL above shows an example file with two 100x100 rects. Both should be green, indicating that the two scripts didn't load. However, the referenced URL http://mcc.id.au/temp/2006/redirect.js redirects to http://arc.mcc.id.au/temp/2006/nasty-redirected.js, and is then run, which makes the second rect red. There should be some way to enforce this using Java's security stuff, when the ParsedURLData opens the URLConnection, but I am not very familiar with permissions and so on. If this isn't possible, then I guess redirections could be turned off for the URLConnection, which would then have to be handled manually. This is probably a problem for the external resource origin setting, too.