Comment 13 for bug 1566416

The primary solution proposed is a relatively complicated patch, and -- I assume -- requires new configuration on the part of deployers (as part of a security patch, no less). Maybe it's a good long term solution?