diff --git a/dom/base/Console.cpp b/dom/base/Console.cpp
index fb78362caaa..6ead4e1d8a7 100644
--- a/dom/base/Console.cpp
+++ b/dom/base/Console.cpp
@@ -403,7 +403,13 @@ private:
 
     AutoSafeJSContext cx;
 
-    JS::Rooted<JSObject*> global(cx, mConsole->GetOrCreateSandbox(cx, wp->GetPrincipal()));
+    nsCOMPtr<nsIXPConnectJSObjectHolder> sandbox =
+      mConsole->GetOrCreateSandbox(cx, wp->GetPrincipal());
+    if (NS_WARN_IF(!sandbox)) {
+       return;
+    }
+
+    JS::Rooted<JSObject*> global(cx, sandbox->GetJSObject());
     if (NS_WARN_IF(!global)) {
       return;
     }
@@ -683,7 +689,7 @@ private:
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(Console)
 
-// We don't need to traverse/unlink mStorage and mSandbox because they are not
+// We don't need to traverse/unlink mStorage and mSanbox because they are not
 // CCed objects and they are only used on the main thread, even when this
 // Console object is used on workers.
 
@@ -737,12 +743,19 @@ Console::Console(nsPIDOMWindow* aWindow)
 Console::~Console()
 {
   if (!NS_IsMainThread()) {
+    nsCOMPtr<nsIThread> mainThread;
+    NS_GetMainThread(getter_AddRefs(mainThread));
+
     if (mStorage) {
-      NS_ReleaseOnMainThread(mStorage);
+      nsIConsoleAPIStorage* storage;
+      mStorage.forget(&storage);
+      NS_ProxyRelease(mainThread, storage, false);
     }
 
     if (mSandbox) {
-      NS_ReleaseOnMainThread(mSandbox);
+      nsIXPConnectJSObjectHolder* sandbox;
+      mSandbox.forget(&sandbox);
+      NS_ProxyRelease(mainThread, sandbox, false);
     }
   }
 
@@ -1891,7 +1904,7 @@ Console::ShouldIncludeStackTrace(MethodName aMethodName)
   }
 }
 
-JSObject*
+nsIXPConnectJSObjectHolder*
 Console::GetOrCreateSandbox(JSContext* aCx, nsIPrincipal* aPrincipal)
 {
   MOZ_ASSERT(NS_IsMainThread());
@@ -1900,16 +1913,14 @@ Console::GetOrCreateSandbox(JSContext* aCx, nsIPrincipal* aPrincipal)
     nsIXPConnect* xpc = nsContentUtils::XPConnect();
     MOZ_ASSERT(xpc, "This should never be null!");
 
-    JS::Rooted<JSObject*> sandbox(aCx);
-    nsresult rv = xpc->CreateSandbox(aCx, aPrincipal, sandbox.address());
+    nsresult rv = xpc->CreateSandbox(aCx, aPrincipal,
+                                     getter_AddRefs(mSandbox));
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return nullptr;
     }
-
-    mSandbox = new JSObjectHolder(aCx, sandbox);
   }
 
-  return mSandbox->GetJSObject();
+  return mSandbox;
 }
 
 } // namespace dom
diff --git a/dom/base/Console.h b/dom/base/Console.h
index ea5689d417d..73c93bf30f4 100644
--- a/dom/base/Console.h
+++ b/dom/base/Console.h
@@ -9,7 +9,6 @@
 
 #include "mozilla/dom/BindingDeclarations.h"
 #include "mozilla/ErrorResult.h"
-#include "mozilla/JSObjectHolder.h"
 #include "nsCycleCollectionParticipant.h"
 #include "nsDataHashtable.h"
 #include "nsHashKeys.h"
@@ -21,6 +20,7 @@
 class nsIConsoleAPIStorage;
 class nsIPrincipal;
 class nsIProfiler;
+class nsIXPConnectJSObjectHolder;
 
 namespace mozilla {
 namespace dom {
@@ -199,12 +199,12 @@ private:
   bool
   ShouldIncludeStackTrace(MethodName aMethodName);
 
-  JSObject*
+  nsIXPConnectJSObjectHolder*
   GetOrCreateSandbox(JSContext* aCx, nsIPrincipal* aPrincipal);
 
   nsCOMPtr<nsPIDOMWindow> mWindow;
   nsCOMPtr<nsIConsoleAPIStorage> mStorage;
-  nsRefPtr<JSObjectHolder> mSandbox;
+  nsCOMPtr<nsIXPConnectJSObjectHolder> mSandbox;
 #ifdef MOZ_ENABLE_PROFILER_SPS
   nsCOMPtr<nsIProfiler> mProfiler;
 #endif
diff --git a/dom/datastore/DataStoreDB.cpp b/dom/datastore/DataStoreDB.cpp
index f8374abe9d1..19d34f37ec9 100644
--- a/dom/datastore/DataStoreDB.cpp
+++ b/dom/datastore/DataStoreDB.cpp
@@ -113,12 +113,18 @@ DataStoreDB::CreateFactoryIfNeeded()
     MOZ_ASSERT(xpc);
 
     AutoSafeJSContext cx;
-    JS::Rooted<JSObject*> global(cx);
-    rv = xpc->CreateSandbox(cx, principal, global.address());
+
+    nsCOMPtr<nsIXPConnectJSObjectHolder> globalHolder;
+    rv = xpc->CreateSandbox(cx, principal, getter_AddRefs(globalHolder));
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
     }
 
+    JS::Rooted<JSObject*> global(cx, globalHolder->GetJSObject());
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      return NS_ERROR_UNEXPECTED;
+    }
+
     // The CreateSandbox call returns a proxy to the actual sandbox object. We
     // don't need a proxy here.
     global = js::UncheckedUnwrap(global);
diff --git a/dom/workers/ScriptLoader.cpp b/dom/workers/ScriptLoader.cpp
index cdac79828ec..401d4d4edbb 100644
--- a/dom/workers/ScriptLoader.cpp
+++ b/dom/workers/ScriptLoader.cpp
@@ -1257,13 +1257,13 @@ CacheCreator::CreateCacheStorage(nsIPrincipal* aPrincipal)
   MOZ_ASSERT(xpc, "This should never be null!");
 
   mozilla::AutoSafeJSContext cx;
-  JS::Rooted<JSObject*> sandbox(cx);
-  nsresult rv = xpc->CreateSandbox(cx, aPrincipal, sandbox.address());
+  nsCOMPtr<nsIXPConnectJSObjectHolder> sandbox;
+  nsresult rv = xpc->CreateSandbox(cx, aPrincipal, getter_AddRefs(sandbox));
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  mSandboxGlobalObject = xpc::NativeGlobal(sandbox);
+  mSandboxGlobalObject = xpc::NativeGlobal(sandbox->GetJSObject());
   if (NS_WARN_IF(!mSandboxGlobalObject)) {
     return NS_ERROR_FAILURE;
   }
diff --git a/dom/workers/ServiceWorkerScriptCache.cpp b/dom/workers/ServiceWorkerScriptCache.cpp
index 39943dbeed4..2e1fe1ad0c1 100644
--- a/dom/workers/ServiceWorkerScriptCache.cpp
+++ b/dom/workers/ServiceWorkerScriptCache.cpp
@@ -34,7 +34,7 @@ namespace {
 
 already_AddRefed<CacheStorage>
 CreateCacheStorage(nsIPrincipal* aPrincipal, ErrorResult& aRv,
-                   JS::MutableHandle<JSObject*>* aSandbox = nullptr)
+                   nsIXPConnectJSObjectHolder** aHolder = nullptr)
 {
   AssertIsOnMainThread();
   MOZ_ASSERT(aPrincipal);
@@ -44,20 +44,21 @@ CreateCacheStorage(nsIPrincipal* aPrincipal, ErrorResult& aRv,
 
   AutoJSAPI jsapi;
   jsapi.Init();
-  JS::Rooted<JSObject*> sandbox(jsapi.cx());
-  aRv = xpc->CreateSandbox(jsapi.cx(), aPrincipal, sandbox.address());
+  nsCOMPtr<nsIXPConnectJSObjectHolder> sandbox;
+  aRv = xpc->CreateSandbox(jsapi.cx(), aPrincipal, getter_AddRefs(sandbox));
   if (NS_WARN_IF(aRv.Failed())) {
     return nullptr;
   }
 
-  nsCOMPtr<nsIGlobalObject> sandboxGlobalObject = xpc::NativeGlobal(sandbox);
+  nsCOMPtr<nsIGlobalObject> sandboxGlobalObject =
+    xpc::NativeGlobal(sandbox->GetJSObject());
   if (!sandboxGlobalObject) {
     aRv.Throw(NS_ERROR_FAILURE);
     return nullptr;
   }
 
-  if (aSandbox) {
-    aSandbox->set(sandbox);
+  if (aHolder) {
+    sandbox.forget(aHolder);
   }
 
   // We assume private browsing is not enabled here.  The ScriptLoader
@@ -319,8 +320,7 @@ public:
     // Always create a CacheStorage since we want to write the network entry to
     // the cache even if there isn't an existing one.
     ErrorResult result;
-    JS::MutableHandle<JSObject*> sandboxHandle(&mSandbox);
-    mCacheStorage = CreateCacheStorage(aPrincipal, result, &sandboxHandle);
+    mCacheStorage = CreateCacheStorage(aPrincipal, result, getter_AddRefs(mSandbox));
     if (NS_WARN_IF(result.Failed())) {
       MOZ_ASSERT(!result.IsErrorWithMessage());
       return result.StealNSResult();
@@ -621,7 +621,7 @@ private:
   }
 
   nsRefPtr<CompareCallback> mCallback;
-  JS::PersistentRooted<JSObject*> mSandbox;
+  nsCOMPtr<nsIXPConnectJSObjectHolder> mSandbox;
   nsRefPtr<CacheStorage> mCacheStorage;
 
   nsRefPtr<CompareNetwork> mCN;
diff --git a/extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp b/extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp
index 8f46cef7419..da3cbe5859b 100644
--- a/extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp
+++ b/extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp
@@ -46,13 +46,13 @@ nsresult CentralizedAdminPrefManagerInit()
 
     // Create a sandbox.
     AutoSafeJSContext cx;
-    JS::Rooted<JSObject*> sandbox(cx);
-    rv = xpc->CreateSandbox(cx, principal, sandbox.address());
+    nsCOMPtr<nsIXPConnectJSObjectHolder> sandbox;
+    rv = xpc->CreateSandbox(cx, principal, getter_AddRefs(sandbox));
     NS_ENSURE_SUCCESS(rv, rv);
 
     // Unwrap, store and root the sandbox.
-    NS_ENSURE_STATE(sandbox);
-    autoconfigSb.init(cx, js::UncheckedUnwrap(sandbox));
+    NS_ENSURE_STATE(sandbox->GetJSObject());
+    autoconfigSb.init(cx, js::UncheckedUnwrap(sandbox->GetJSObject()));
 
     return NS_OK;
 }
diff --git a/js/xpconnect/idl/nsIXPConnect.idl b/js/xpconnect/idl/nsIXPConnect.idl
index b2311927617..f7b61c29bb6 100644
--- a/js/xpconnect/idl/nsIXPConnect.idl
+++ b/js/xpconnect/idl/nsIXPConnect.idl
@@ -266,7 +266,7 @@ interface nsIXPCFunctionThisTranslator : nsISupports
     { 0xbd, 0xd6, 0x0, 0x0, 0x64, 0x65, 0x73, 0x74 } }
 %}
 
-[noscript, uuid(0e415848-65b6-4235-b5b1-ec90509d1133)]
+[noscript, uuid(b91f1eeb-2fe4-44cc-9983-abcc06d69a94)]
 interface nsIXPConnect : nsISupports
 {
 %{ C++
@@ -474,7 +474,8 @@ interface nsIXPConnect : nsISupports
      * @param principal The principal (or NULL to use the null principal)
      *                  to use when evaluating code in this sandbox.
      */
-    [noscript] JSObjectPtr createSandbox(in JSContextPtr cx, in nsIPrincipal principal);
+    [noscript] nsIXPConnectJSObjectHolder createSandbox(in JSContextPtr cx,
+                                                        in nsIPrincipal principal);
 
     /**
      * Evaluate script in a sandbox, completely isolated from all
diff --git a/js/xpconnect/src/nsXPConnect.cpp b/js/xpconnect/src/nsXPConnect.cpp
index 60727e741a8..61166dfa9a7 100644
--- a/js/xpconnect/src/nsXPConnect.cpp
+++ b/js/xpconnect/src/nsXPConnect.cpp
@@ -737,7 +737,7 @@ nsXPConnect::SetFunctionThisTranslator(const nsIID & aIID,
 
 NS_IMETHODIMP
 nsXPConnect::CreateSandbox(JSContext* cx, nsIPrincipal* principal,
-                           JSObject** _retval)
+                           nsIXPConnectJSObjectHolder** _retval)
 {
     *_retval = nullptr;
 
@@ -748,7 +748,9 @@ nsXPConnect::CreateSandbox(JSContext* cx, nsIPrincipal* principal,
                "Bad return value from xpc_CreateSandboxObject()!");
 
     if (NS_SUCCEEDED(rv) && !rval.isPrimitive()) {
-        *_retval = rval.toObjectOrNull();
+        JSObject* obj = rval.toObjectOrNull();
+        nsRefPtr<XPCJSObjectHolder> rval = new XPCJSObjectHolder(obj);
+        rval.forget(_retval);
     }
 
     return rv;