diff --git a/dix/window.c b/dix/window.c
index e4f1ae1eb..2e852099a 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -729,6 +729,14 @@ CreateWindow(Window wid, WindowPtr pParent, int x, int y, unsigned w,
 
     pWin->borderWidth = bw;
 
+    /*  security creation/labeling check
+     */
+    if (!XaceHook(XACE_RESOURCE_ACCESS, wid, RT_WINDOW, DixCreateAccess, pWin))
+    {
+	xfree(pWin);
+	*error = BadAccess;
+	return NullWindow;
+    }
     /*  can't let untrusted clients have background None windows;
      *  they make it too easy to steal window contents
      */