diff --git a/packages/http/httpcall_tests.js b/packages/http/httpcall_tests.js
index 115806ab05..fddf48b032 100644
--- a/packages/http/httpcall_tests.js
+++ b/packages/http/httpcall_tests.js
@@ -441,33 +441,37 @@ if (Meteor.isServer) {
           }));
       };
 
-      // no such file
-      do_test("/nosuchfile", 200, /DOCTYPE/);
-      do_test("/../nosuchfile", 403);
-      do_test("/%2e%2e/nosuchfile", 403);
-      do_test("/%2E%2E/nosuchfile", 403);
-      do_test("/%2d%2d/nosuchfile", 200, /DOCTYPE/);
-
       // existing static file
-      var succeeds = [
-        "/packages/http/test_static.serveme",
+      do_test("/packages/http/test_static.serveme", 200, /static file serving/);
+
+      // no such file, so return the default app HTML.
+      var getsAppHtml = [
+        // This file doesn't exist.
+        "/nosuchfile",
+
+        // Our static file serving doesn't process .. or its encoded version, so
+        // any of these return the app HTML.
+        "/../nosuchfile",
+        "/%2e%2e/nosuchfile",
+        "/%2E%2E/nosuchfile",
+        "/%2d%2d/nosuchfile",
         "/packages/http/../http/test_static.serveme",
         "/packages/http/%2e%2e/http/test_static.serveme",
         "/packages/http/%2E%2E/http/test_static.serveme",
         "/packages/http/../../packages/http/test_static.serveme",
         "/packages/http/%2e%2e/%2e%2e/packages/http/test_static.serveme",
         "/packages/http/%2E%2E/%2E%2E/packages/http/test_static.serveme",
+
+        // ... and they *definitely* shouldn't be able to escape the app bundle.
+        "/packages/http/../../../../../../packages/http/test_static.serveme",
+        "/../../../../../../../../../../../bin/ls",
+        "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/ls",
+        "/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/bin/ls"
       ];
-      _.each(succeeds, function (path) {
-        do_test(path, 200, /static file serving/);
+
+      _.each(getsAppHtml, function (x) {
+        do_test(x, 200, /<title>Tests<\/title/);
       });
-      do_test("/packages/http/../../../../../../packages/http/test_static.serveme", 403);
-
-      // file outside of our app
-      do_test("/../../../../../../../../../../../bin/ls", 403);
-      do_test("/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/ls", 403);
-      do_test("/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/bin/ls", 403);
-
     }
   ]);
 }