diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me	2010-05-06 11:29:24.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp	2010-05-06 11:43:29.000000000 +0200
@@ -112,7 +112,11 @@ SecurityOrigin::SecurityOrigin(const KUR
 
     // By default, only local SecurityOrigins can load local resources.
     m_canLoadLocalResources = isLocal();
-
+    if (m_canLoadLocalResources) { 
+ 	     // Directories should never be readable. 
+ 	     if (!url.hasPath() || url.path().endsWith("/"))
+ 	         m_noAccess = true; 
+    }
     if (isDefaultPortForProtocol(m_port, m_protocol))
         m_port = 0;
 }
@@ -207,6 +211,8 @@ bool SecurityOrigin::canRequest(const KU
         return false;
 
     RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
+    if (targetOrigin->m_noAccess)
+        return false;
 
     // We call isSameSchemeHostPort here instead of canAccess because we want
     // to ignore document.domain effects.