diff --git a/dom/workers/WorkerPrivate.cpp b/dom/workers/WorkerPrivate.cpp
index 33f945724630..af3c3a1bed18 100644
--- a/dom/workers/WorkerPrivate.cpp
+++ b/dom/workers/WorkerPrivate.cpp
@@ -5259,16 +5259,23 @@ WorkerPrivate::ConnectMessagePort(JSContext* aCx, uint64_t aMessagePortSerial)
     return false;
   }
 
-  MessageEventInit init;
-  init.mBubbles = false;
-  init.mCancelable = false;
-  init.mSource = &jsPort.toObject();
+  nsRefPtr<nsDOMMessageEvent> event;
+  {
+    // Bug 940779 - MessageEventInit contains unrooted JS objects, and
+    // ~nsRefPtr can GC, so make sure 'init' is no longer live before ~nsRefPtr
+    // runs (or the nsRefPtr is even created) to avoid a rooting hazard. Note
+    // that 'init' is live until its destructor runs, not just until its final
+    // use.
+    MessageEventInit init;
+    init.mBubbles = false;
+    init.mCancelable = false;
+    init.mSource = &jsPort.toObject();
 
-  ErrorResult rv;
-
-  nsRefPtr<nsDOMMessageEvent> event =
-    nsDOMMessageEvent::Constructor(globalObject, aCx,
-                                   NS_LITERAL_STRING("connect"), init, rv);
+    ErrorResult rv;
+    event = nsDOMMessageEvent::Constructor(globalObject, aCx,
+                                           NS_LITERAL_STRING("connect"),
+                                           init, rv);
+  }
 
   event->SetTrusted(true);