diff --git a/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts b/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
index 8b636f5366..77e6041638 100644
--- a/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
+++ b/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
@@ -165,7 +165,10 @@ export class DomSanitizationServiceImpl extends DomSanitizationService {
         this.checkNotSafeValue(value, 'Script');
         throw new Error('unsafe value used in a script context');
       case SecurityContext.URL:
-        if (value instanceof SafeUrlImpl) return value.changingThisBreaksApplicationSecurity;
+        if (value instanceof SafeResourceUrlImpl || value instanceof SafeUrlImpl) {
+          // Allow resource URLs in URL contexts, they are strictly more trusted.
+          return value.changingThisBreaksApplicationSecurity;
+        }
         this.checkNotSafeValue(value, 'URL');
         return sanitizeUrl(String(value));
       case SecurityContext.RESOURCE_URL:
diff --git a/modules/@angular/platform-browser/test/security/dom_sanitization_service_spec.ts b/modules/@angular/platform-browser/test/security/dom_sanitization_service_spec.ts
new file mode 100644
index 0000000000..8ee963cad1
--- /dev/null
+++ b/modules/@angular/platform-browser/test/security/dom_sanitization_service_spec.ts
@@ -0,0 +1,22 @@
+/**
+ * @license
+ * Copyright Google Inc. All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.io/license
+ */
+
+import {SecurityContext} from '@angular/core';
+import * as t from '@angular/core/testing/testing_internal';
+
+import {DomSanitizationServiceImpl} from '../../src/security/dom_sanitization_service';
+
+export function main() {
+  t.describe('DOM Sanitization Service', () => {
+    t.it('accepts resource URL values for resource contexts', () => {
+      const svc = new DomSanitizationServiceImpl();
+      const resourceUrl = svc.bypassSecurityTrustResourceUrl('http://hello/world');
+      t.expect(svc.sanitize(SecurityContext.URL, resourceUrl)).toBe('http://hello/world');
+    });
+  });
+}