diff --git a/content/scratchpad-overlay.js b/content/scratchpad-overlay.js
index f4b660831..bc3e30999 100644
--- a/content/scratchpad-overlay.js
+++ b/content/scratchpad-overlay.js
@@ -24,7 +24,14 @@ window.addEventListener('load', function() {
 
     if (!Scratchpad.initialized) return;
 
-    Scratchpad.editor.setCursor({line: 0, ch: 0});
+    if ('function' == typeof Scratchpad.editor.setCursor) {
+      // Firefox >= 28
+      Scratchpad.editor.setCursor({line: 0, ch: 0});
+    } else {
+      // Firefox <= 27
+      Scratchpad.editor.setCaretPosition(0, 0);
+    }
+
     clearInterval(initializeCheckTimer);
   }
   initializeCheckTimer = setInterval(moveCursorToTop, 20);
diff --git a/install.rdf b/install.rdf
index b363f09a4..df8f519cd 100644
--- a/install.rdf
+++ b/install.rdf
@@ -50,6 +50,15 @@
       </Description>
     </em:targetApplication>
 
+    <!-- Pale Moon -->
+    <em:targetApplication>
+      <Description>
+        <em:id>{8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}</em:id>
+        <em:minVersion>25.0</em:minVersion>
+        <em:maxVersion>25.*</em:maxVersion>
+      </Description>
+    </em:targetApplication>
+
   </Description>
 
 </RDF>
diff --git a/modules/xmlhttprequester.js b/modules/xmlhttprequester.js
index 92a2b23c5..f42ab8b89 100644
--- a/modules/xmlhttprequester.js
+++ b/modules/xmlhttprequester.js
@@ -5,7 +5,10 @@ Components.utils.import("resource://greasemonkey/util.js");
 function GM_xmlhttpRequester(wrappedContentWin, originUrl, sandbox) {
   this.wrappedContentWin = wrappedContentWin;
   this.originUrl = originUrl;
-  this.sandboxPrincipal = Components.utils.getObjectPrincipal(sandbox);
+  // Firefox < 29 does not support getObjectPrincipal in a scriptable context.
+  // Older Greasemonkey didn't use this, so if the browser doesn't support it,
+  // this shouldn't be less secure (for that browser).
+  this.sandboxPrincipal = 'function' == typeof Components.utils.getObjectPrincipal ? Components.utils.getObjectPrincipal(sandbox) : null;
 }
 
 // this function gets called by user scripts in content security scope to
@@ -169,10 +172,13 @@ function(wrappedContentWin, req, event, details) {
   var eventCallback = details["on" + event];
   if (!eventCallback) return;
 
-  // ... but ensure that the callback came from a script, not content, by
-  // checking that its principal equals that of the sandbox.
-  var callbackPrincipal = Components.utils.getObjectPrincipal(eventCallback);
-  if (!this.sandboxPrincipal.equals(callbackPrincipal)) return;
+  // Firefox < 29 hack; see above.
+  if ('function' == typeof Components.utils.getObjectPrincipal) {
+    // ... but ensure that the callback came from a script, not content, by
+    // checking that its principal equals that of the sandbox.
+    var callbackPrincipal = Components.utils.getObjectPrincipal(eventCallback);
+    if (!this.sandboxPrincipal.equals(callbackPrincipal)) return;
+  }
 
   req.addEventListener(event, function(evt) {
     var responseState = {