This is difficult to fix without breaking compatibility. For example, the following two CodeSource URLs could be equal after name resolution:
Changing this could break a bunch of stuff as these CodeSources would now be placed into separate ProtectionDomains.
It's possible we may be able to look at this from a different angle, and only do name resolution if a CodeSource is granted something other than AllPermission or the default sandbox permissions, or whenever policy processing is enabled in Plugin (usePolicy=true). But I need to think about it some more.