diff --git a/dom/src/jsurl/crashtests/457050-1-inner.html b/dom/src/jsurl/crashtests/457050-1-inner.html
new file mode 100644
index 00000000000..54521c9a50d
--- /dev/null
+++ b/dom/src/jsurl/crashtests/457050-1-inner.html
@@ -0,0 +1,8 @@
+<html>
+<head>
+<link rel="stylesheet" type="text/css" href="javascript:'p { color: green }'">
+</head>
+<body onload="parent.next(window);">
+<p>Hello</p>
+</body>
+</html>
diff --git a/dom/src/jsurl/crashtests/457050-1.html b/dom/src/jsurl/crashtests/457050-1.html
new file mode 100644
index 00000000000..17e3faf8e22
--- /dev/null
+++ b/dom/src/jsurl/crashtests/457050-1.html
@@ -0,0 +1,18 @@
+<html class="reftest-wait">
+<head>
+<script type="text/javascript">
+var i = 0;
+function next(w)
+{
+  ++i;
+  if (i == 1)
+    w.location.reload();
+  if (i == 2)
+    document.documentElement.removeAttribute("class");
+}
+</script>
+</head>
+<body>
+<iframe src="457050-1-inner.html"></iframe>
+</body>
+</html>
diff --git a/dom/src/jsurl/crashtests/crashtests.list b/dom/src/jsurl/crashtests/crashtests.list
index 6ff35ca7ad7..51f92d51b52 100644
--- a/dom/src/jsurl/crashtests/crashtests.list
+++ b/dom/src/jsurl/crashtests/crashtests.list
@@ -1,3 +1,4 @@
 load 341963-1.html
 load 344874-1.html
 load 344996-1.xhtml
+load 457050-1.html
diff --git a/dom/src/jsurl/nsJSProtocolHandler.cpp b/dom/src/jsurl/nsJSProtocolHandler.cpp
index 7d214e2bf20..c2c4cc5b4a2 100644
--- a/dom/src/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/src/jsurl/nsJSProtocolHandler.cpp
@@ -849,6 +849,25 @@ nsJSChannel::GetLoadFlags(nsLoadFlags *aLoadFlags)
 NS_IMETHODIMP
 nsJSChannel::SetLoadFlags(nsLoadFlags aLoadFlags)
 {
+    // Figure out whether the LOAD_BACKGROUND bit in aLoadFlags is
+    // actually right.
+    PRBool bogusLoadBackground = PR_FALSE;
+    if (mIsActive && !(mActualLoadFlags & LOAD_BACKGROUND) &&
+        (aLoadFlags & LOAD_BACKGROUND)) {
+        // We're getting a LOAD_BACKGROUND, but it's probably just our own fake
+        // flag being mirrored to us.  The one exception is if our loadgroup is
+        // LOAD_BACKGROUND.
+        PRBool loadGroupIsBackground = PR_FALSE;
+        nsCOMPtr<nsILoadGroup> loadGroup;
+        mStreamChannel->GetLoadGroup(getter_AddRefs(loadGroup));
+        if (loadGroup) {
+            nsLoadFlags loadGroupFlags;
+            loadGroup->GetLoadFlags(&loadGroupFlags);
+            loadGroupIsBackground = ((loadGroupFlags & LOAD_BACKGROUND) != 0);
+        }
+        bogusLoadBackground = !loadGroupIsBackground;
+    }
+    
     // Since the javascript channel is never the actual channel that
     // any data is loaded through, don't ever set the
     // LOAD_DOCUMENT_URI flag on it, since that could lead to two
@@ -860,6 +879,12 @@ nsJSChannel::SetLoadFlags(nsLoadFlags aLoadFlags)
     
     mLoadFlags = aLoadFlags & ~LOAD_DOCUMENT_URI;
 
+    if (bogusLoadBackground) {
+        aLoadFlags = aLoadFlags & ~LOAD_BACKGROUND;
+    }
+
+    mActualLoadFlags = aLoadFlags;
+
     // ... but the underlying stream channel should get this bit, if
     // set, since that'll be the real document channel if the
     // javascript: URL generated data.