diff --git a/browser/components/preferences/in-content/jar.mn b/browser/components/preferences/in-content/jar.mn
index 2b852a33b22..df766fb0fb9 100644
--- a/browser/components/preferences/in-content/jar.mn
+++ b/browser/components/preferences/in-content/jar.mn
@@ -15,4 +15,6 @@ browser.jar:
    content/browser/preferences/in-content/content.xul
    content/browser/preferences/in-content/content.js
    content/browser/preferences/in-content/sync.xul
-   content/browser/preferences/in-content/sync.js
\ No newline at end of file
+   content/browser/preferences/in-content/sync.js
+   content/browser/preferences/in-content/security.xul
+   content/browser/preferences/in-content/security.js
diff --git a/browser/components/preferences/in-content/preferences.js b/browser/components/preferences/in-content/preferences.js
index bdeca4b6f29..a70fafc2673 100644
--- a/browser/components/preferences/in-content/preferences.js
+++ b/browser/components/preferences/in-content/preferences.js
@@ -26,6 +26,7 @@ function init_all() {
   gApplicationsPane.init();
   gContentPane.init();
   gSyncPane.init();
+  gSecurityPane.init();
   var initFinished = document.createEvent("Event");
   initFinished.initEvent("Initialized", true, true);
   document.dispatchEvent(initFinished);
diff --git a/browser/components/preferences/in-content/preferences.xul b/browser/components/preferences/in-content/preferences.xul
index d9955ce7534..14a676302ba 100644
--- a/browser/components/preferences/in-content/preferences.xul
+++ b/browser/components/preferences/in-content/preferences.xul
@@ -96,7 +96,7 @@
 #include advanced.xul
 #include applications.xul
 #include content.xul
-
+#include security.xul
 #ifdef MOZ_SERVICES_SYNC
 #include sync.xul
 #endif
diff --git a/browser/components/preferences/in-content/security.js b/browser/components/preferences/in-content/security.js
new file mode 100644
index 00000000000..d65081e0ada
--- /dev/null
+++ b/browser/components/preferences/in-content/security.js
@@ -0,0 +1,215 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+var gSecurityPane = {
+  _pane: null,
+
+  /**
+   * Initializes master password UI.
+   */
+  init: function ()
+  {
+    this._pane = document.getElementById("paneSecurity");
+    this._initMasterPasswordUI();
+  },
+
+  // ADD-ONS
+
+  /*
+   * Preferences:
+   *
+   * xpinstall.whitelist.required
+   * - true if a site must be added to a site whitelist before extensions
+   *   provided by the site may be installed from it, false if the extension
+   *   may be directly installed after a confirmation dialog
+   */
+
+  /**
+   * Enables/disables the add-ons Exceptions button depending on whether
+   * or not add-on installation warnings are displayed.
+   */
+  readWarnAddonInstall: function ()
+  {
+    var warn = document.getElementById("xpinstall.whitelist.required");
+    var exceptions = document.getElementById("addonExceptions");
+
+    exceptions.disabled = !warn.value;
+
+    // don't override the preference value
+    return undefined;
+  },
+
+  /**
+   * Displays the exceptions lists for add-on installation warnings.
+   */
+  showAddonExceptions: function ()
+  {
+    var bundlePrefs = document.getElementById("bundlePreferences");
+
+    var params = this._addonParams;
+    if (!params.windowTitle || !params.introText) {
+      params.windowTitle = bundlePrefs.getString("addons_permissions_title");
+      params.introText = bundlePrefs.getString("addonspermissionstext");
+    }
+
+    openDialog("chrome://browser/content/preferences/permissions.xul",
+               "Browser:Permissions",
+               "model=yes",
+               params);
+  },
+
+  /**
+   * Parameters for the add-on install permissions dialog.
+   */
+  _addonParams:
+    {
+      blockVisible: false,
+      sessionVisible: false,
+      allowVisible: true,
+      prefilledHost: "",
+      permissionType: "install"
+    },
+
+  // PASSWORDS
+
+  /*
+   * Preferences:
+   *
+   * signon.rememberSignons
+   * - true if passwords are remembered, false otherwise
+   */
+
+  /**
+   * Enables/disables the Exceptions button used to configure sites where
+   * passwords are never saved.
+   */
+  readSavePasswords: function ()
+  {
+    var pref = document.getElementById("signon.rememberSignons");
+    var excepts = document.getElementById("passwordExceptions");
+
+    excepts.disabled = !pref.value;
+
+    // don't override pref value in UI
+    return undefined;
+  },
+
+  /**
+   * Displays a dialog in which the user can view and modify the list of sites
+   * where passwords are never saved.
+   */
+  showPasswordExceptions: function ()
+  {
+    openDialog("chrome://passwordmgr/content/passwordManagerExceptions.xul",
+               "Toolkit:PasswordManagerExceptions",
+               "model=yes",
+               null);
+  },
+
+  /**
+   * Initializes master password UI: the "use master password" checkbox, selects
+   * the master password button to show, and enables/disables it as necessary.
+   * The master password is controlled by various bits of NSS functionality, so
+   * the UI for it can't be controlled by the normal preference bindings.
+   */
+  _initMasterPasswordUI: function ()
+  {
+    var noMP = !this._masterPasswordSet();
+
+    var button = document.getElementById("changeMasterPassword");
+    button.disabled = noMP;
+
+    var checkbox = document.getElementById("useMasterPassword");
+    checkbox.checked = !noMP;
+  },
+
+  /**
+   * Returns true if the user has a master password set and false otherwise.
+   */
+  _masterPasswordSet: function ()
+  {
+    var secmodDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].
+                   getService(Ci.nsIPKCS11ModuleDB);
+    var slot = secmodDB.findSlotByName("");
+    if (slot) {
+      var status = slot.status;
+      var hasMP = status != Ci.nsIPKCS11Slot.SLOT_UNINITIALIZED &&
+                  status != Ci.nsIPKCS11Slot.SLOT_READY;
+      return hasMP;
+    } else {
+      // XXX I have no bloody idea what this means
+      return false;
+    }
+  },
+
+  /**
+   * Enables/disables the master password button depending on the state of the
+   * "use master password" checkbox, and prompts for master password removal if
+   * one is set.
+   */
+  updateMasterPasswordButton: function ()
+  {
+    var checkbox = document.getElementById("useMasterPassword");
+    var button = document.getElementById("changeMasterPassword");
+    button.disabled = !checkbox.checked;
+
+    // unchecking the checkbox should try to immediately remove the master
+    // password, because it's impossible to non-destructively remove the master
+    // password used to encrypt all the passwords without providing it (by
+    // design), and it would be extremely odd to pop up that dialog when the
+    // user closes the prefwindow and saves his settings
+    if (!checkbox.checked)
+      this._removeMasterPassword();
+    else
+      this.changeMasterPassword();
+
+    this._initMasterPasswordUI();
+  },
+
+  /**
+   * Displays the "remove master password" dialog to allow the user to remove
+   * the current master password.  When the dialog is dismissed, master password
+   * UI is automatically updated.
+   */
+  _removeMasterPassword: function ()
+  {
+    var secmodDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].
+                   getService(Ci.nsIPKCS11ModuleDB);
+    if (secmodDB.isFIPSEnabled) {
+      var promptService = Cc["@mozilla.org/embedcomp/prompt-service;1"].
+                          getService(Ci.nsIPromptService);
+      var bundle = document.getElementById("bundlePreferences");
+      promptService.alert(window,
+                          bundle.getString("pw_change_failed_title"),
+                          bundle.getString("pw_change2empty_in_fips_mode"));
+    }
+    else {
+      openDialog("chrome://mozapps/content/preferences/removemp.xul",
+                 "Toolkit:RemoveMasterPassword", "modal=yes", null);
+    }
+    this._initMasterPasswordUI();
+  },
+
+  /**
+   * Displays a dialog in which the master password may be changed.
+   */
+  changeMasterPassword: function ()
+  {
+    openDialog("chrome://mozapps/content/preferences/changemp.xul",
+               "Toolkit:ChangeMasterPassword", "modal=yes", null);
+    this._initMasterPasswordUI();
+  },
+
+  /**
+   * Shows the sites where the user has saved passwords and the associated login
+   * information.
+   */
+  showPasswords: function ()
+  {
+    openDialog("chrome://passwordmgr/content/passwordManager.xul",
+               "Toolkit:PasswordManager",
+               "modal=yes", null);
+  }
+
+};
diff --git a/browser/components/preferences/in-content/security.xul b/browser/components/preferences/in-content/security.xul
new file mode 100644
index 00000000000..25d967d6109
--- /dev/null
+++ b/browser/components/preferences/in-content/security.xul
@@ -0,0 +1,96 @@
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this file,
+   - You can obtain one at http://mozilla.org/MPL/2.0/.  -->
+
+<script type="application/javascript" 
+        src="chrome://browser/content/preferences/in-content/security.js"/>  
+
+<preferences id="securityPreferences">
+  <!-- XXX buttons -->
+  <preference id="pref.privacy.disable_button.view_passwords"
+              name="pref.privacy.disable_button.view_passwords"
+              type="bool"/>
+  <preference id="pref.privacy.disable_button.view_passwords_exceptions"
+              name="pref.privacy.disable_button.view_passwords_exceptions"
+              type="bool"/>
+
+  <!-- Add-ons, malware, phishing -->
+  <preference id="xpinstall.whitelist.required"
+              name="xpinstall.whitelist.required"
+              type="bool"/>
+  <preference id="browser.safebrowsing.malware.enabled"
+              name="browser.safebrowsing.malware.enabled"
+              type="bool"/>
+  <preference id="browser.safebrowsing.enabled"
+              name="browser.safebrowsing.enabled"
+              type="bool"/>
+
+  <!-- Passwords -->
+  <preference id="signon.rememberSignons" name="signon.rememberSignons" type="bool"/>
+
+</preferences>
+
+<hbox class="heading" data-category="paneSecurity" hidden="true">
+  <image class="preference-icon" type="security"/>
+  <html:h1>&paneSecurity.title;</html:h1>
+</hbox>
+
+<!-- addons, forgery (phishing) UI -->
+<groupbox id="addonsPhishingGroup" data-category="paneSecurity" hidden="true">
+  <hbox id="addonInstallBox">
+    <checkbox id="warnAddonInstall" flex="1"
+              label="&warnAddonInstall.label;"
+              accesskey="&warnAddonInstall.accesskey;"
+              preference="xpinstall.whitelist.required"
+              onsyncfrompreference="return gSecurityPane.readWarnAddonInstall();"/>
+    <button id="addonExceptions"
+            label="&addonExceptions.label;"
+            accesskey="&addonExceptions.accesskey;"
+            oncommand="gSecurityPane.showAddonExceptions();"/>
+  </hbox>
+
+  <separator class="thin"/>
+  <checkbox id="blockAttackSites"
+            label="&blockAttackSites.label;"
+            accesskey="&blockAttackSites.accesskey;"
+            preference="browser.safebrowsing.malware.enabled" />
+  <checkbox id="blockWebForgeries"
+            label="&blockWebForgeries.label;"
+            accesskey="&blockWebForgeries.accesskey;"
+            preference="browser.safebrowsing.enabled" />
+</groupbox>
+
+<!-- Passwords -->
+<groupbox id="passwordsGroup" orient="vertical" data-category="paneSecurity" hidden="true">
+  <caption label="&passwords.label;"/>
+
+  <hbox id="savePasswordsBox">
+    <checkbox id="savePasswords" flex="1"
+              label="&rememberPasswords.label;" accesskey="&rememberPasswords.accesskey;"
+              preference="signon.rememberSignons"
+              onsyncfrompreference="return gSecurityPane.readSavePasswords();"/>
+    <button id="passwordExceptions"
+            label="&passwordExceptions.label;"
+            accesskey="&passwordExceptions.accesskey;"
+            oncommand="gSecurityPane.showPasswordExceptions();"
+            preference="pref.privacy.disable_button.view_passwords_exceptions"/>
+  </hbox>
+  <hbox id="masterPasswordBox">
+    <checkbox id="useMasterPassword" flex="1"
+              oncommand="gSecurityPane.updateMasterPasswordButton();"
+              label="&useMasterPassword.label;"
+              accesskey="&useMasterPassword.accesskey;"/>
+    <button id="changeMasterPassword"
+            label="&changeMasterPassword.label;"
+            accesskey="&changeMasterPassword.accesskey;"
+            oncommand="gSecurityPane.changeMasterPassword();"/>
+  </hbox>
+
+  <hbox id="showPasswordsBox">
+    <spacer flex="1"/>
+    <button id="showPasswords"
+            label="&savedPasswords.label;" accesskey="&savedPasswords.accesskey;"
+            oncommand="gSecurityPane.showPasswords();"
+            preference="pref.privacy.disable_button.view_passwords"/>
+  </hbox>
+</groupbox>