Backed out 3 changesets (bug 1165272) for b2g sanity blocker.

2024-09-13 09:24:08 -07:00 · 2015-08-25 11:05:43 -07:00 · 2015-08-25 11:05:43 -07:00 · 8f42e826dc
commit 8f42e826dc
parent d2e8d959fd
99 changed files with 425 additions and 429 deletions
--- a/addon-sdk/source/lib/sdk/indexed-db.js
+++ b/addon-sdk/source/lib/sdk/indexed-db.js
@ -32,9 +32,9 @@ let principaluri = Cc["@mozilla.org/network/io-service;1"].
              getService(Ci.nsIIOService).
              newURI(PSEUDOURI, null, null);

-let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-            .getService(Ci.nsIScriptSecurityManager);
-let principal = ssm.createCodebasePrincipal(principaluri, {});
+let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
+	               getService(Ci.nsIScriptSecurityManager).
+	               getCodebasePrincipal(principaluri);

 function toArray(args) {
  return Array.prototype.slice.call(args);
--- a/b2g/components/AboutServiceWorkers.jsm
+++ b/b2g/components/AboutServiceWorkers.jsm
@ -154,10 +154,11 @@ this.AboutServiceWorkers = {
          return;
        }

-        let principal = Services.scriptSecurityManager.createCodebasePrincipal(
-          // TODO: Bug 1196652. use originNoSuffix
+        let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
          Services.io.newURI(message.principal.origin, null, null),
-          message.principal.originAttributes);
+          message.principal.originAttributes.appId,
+          message.principal.originAttributes.inBrowser
+        );

        if (!message.scope) {
          self.sendError(message.id, "MissingScope");
--- a/b2g/components/ContentPermissionPrompt.js
+++ b/b2g/components/ContentPermissionPrompt.js
@ -205,9 +205,9 @@ ContentPermissionPrompt.prototype = {
    // URL.
    let notDenyAppPrincipal = function(type) {
      let url = Services.io.newURI(app.origin, null, null);
-      let principal =
-        secMan.createCodebasePrincipal(url,
-                                       {appId: request.principal.appId});
+      let principal = secMan.getAppCodebasePrincipal(url,
+                                                     request.principal.appId,
+                                                     /*mozbrowser*/false);
      let result = Services.perms.testExactPermissionFromPrincipal(principal,
                                                                   type.access);

--- a/browser/base/content/aboutSocialError.xhtml
+++ b/browser/base/content/aboutSocialError.xhtml
@ -55,8 +55,7 @@
      // the error message.
      if (!config.origin) {
        let URI = Services.io.newURI(url, null, null);
-        config.origin =
-          Services.scriptSecurityManager.createCodebasePrincipal(URI, {}).origin;
+        config.origin = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI).origin;
      }

      switch (mode) {
--- a/browser/base/content/test/general/browser_offlineQuotaNotification.js
+++ b/browser/base/content/test/general/browser_offlineQuotaNotification.js
@ -11,7 +11,7 @@ const URL = "http://mochi.test:8888/browser/browser/base/content/test/general/of
 registerCleanupFunction(function() {
  // Clean up after ourself
  let uri = Services.io.newURI(URL, null, null);
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+  var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
  Services.perms.removeFromPrincipal(principal, "offline-app");
  Services.prefs.clearUserPref("offline-apps.quota.warn");
  Services.prefs.clearUserPref("offline-apps.allow_by_default");
--- a/browser/base/content/test/general/browser_sanitizeDialog.js
+++ b/browser/base/content/test/general/browser_sanitizeDialog.js
@ -564,7 +564,7 @@ var gAllTests = [

    var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
             .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.createCodebasePrincipal(URI, {});
+    var principal = sm.getNoAppCodebasePrincipal(URI);

    // Give www.example.com privileges to store offline data
    var pm = Cc["@mozilla.org/permissionmanager;1"]
@ -634,7 +634,7 @@ var gAllTests = [

    var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
             .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.createCodebasePrincipal(URI, {});
+    var principal = sm.getNoAppCodebasePrincipal(URI);

    // Open the dialog
    let wh = new WindowHelper();
--- a/browser/base/content/test/general/test_offlineNotification.html
+++ b/browser/base/content/test/general/test_offlineNotification.html
@ -43,10 +43,12 @@ window.addEventListener("message", function(event) {
      var uri1 = ioService.newURI(frames.testFrame.location, null, null);
      var uri2 = ioService.newURI(frames.testFrame3.location, null, null);

-      var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                  .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
-      var principal1 = ssm.createCodebasePrincipal(uri1, {});
-      var principal2 = ssm.createCodebasePrincipal(uri2, {});
+      var principal1 = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
+                        .getNoAppCodebasePrincipal(uri1);
+      var principal2 = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
+                        .getNoAppCodebasePrincipal(uri2);

      pm.removeFromPrincipal(principal1, "offline-app");
      pm.removeFromPrincipal(principal2, "offline-app");
--- a/browser/base/content/test/general/test_offline_gzip.html
+++ b/browser/base/content/test/general/test_offline_gzip.html
@ -39,9 +39,9 @@ function finishTest() {

  var uri = Cc["@mozilla.org/network/io-service;1"].getService(SpecialPowers.Ci.nsIIOService)
              .newURI(window.frames[0].location, null, null);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                   .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
+                   .getNoAppCodebasePrincipal(uri);

  pm.removeFromPrincipal(principal, "offline-app");

--- a/browser/base/content/test/newtab/head.js
+++ b/browser/base/content/test/newtab/head.js
@ -18,7 +18,7 @@ Cu.import("resource://gre/modules/Timer.jsm", tmp);
 let {Promise, NewTabUtils, Sanitizer, clearTimeout, setTimeout, DirectoryLinksProvider, PlacesTestUtils} = tmp;

 let uri = Services.io.newURI("about:newtab", null, null);
-let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);

 let isMac = ("nsILocalFileMac" in Ci);
 let isLinux = ("@mozilla.org/gnome-gconf-service;1" in Cc);
--- a/browser/components/feeds/FeedConverter.js
+++ b/browser/components/feeds/FeedConverter.js
@ -254,7 +254,7 @@ FeedConverter.prototype = {
        chromeChannel = ios.newChannelFromURIWithLoadInfo(aboutFeedsURI, loadInfo);
        chromeChannel.originalURI = result.uri;
        chromeChannel.owner =
-          Services.scriptSecurityManager.createCodebasePrincipal(aboutFeedsURI, {});
+          Services.scriptSecurityManager.getNoAppCodebasePrincipal(aboutFeedsURI);
      } else {
        chromeChannel = ios.newChannelFromURIWithLoadInfo(result.uri, loadInfo);
      }
--- a/browser/components/preferences/aboutPermissions.js
+++ b/browser/components/preferences/aboutPermissions.js
@ -497,7 +497,7 @@ let AboutPermissions = {
        while (row = aResults.getNextRow()) {
          let spec = row.getResultByName("url");
          let uri = NetUtil.newURI(spec);
-          let principal = gSecMan.createCodebasePrincipal(uri, {});
+          let principal = gSecMan.getNoAppCodebasePrincipal(uri);

          AboutPermissions.addPrincipal(principal);
        }
@ -548,7 +548,7 @@ let AboutPermissions = {
      try {
        // aLogin.hostname is a string in origin URL format (e.g. "http://foo.com")
        let uri = NetUtil.newURI(aLogin.hostname);
-        let principal = gSecMan.createCodebasePrincipal(uri, {});
+        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
        this.addPrincipal(principal);
      } catch (e) {
        // newURI will throw for add-ons logins stored in chrome:// URIs
@ -564,7 +564,7 @@ let AboutPermissions = {
      try {
        // aHostname is a string in origin URL format (e.g. "http://foo.com")
        let uri = NetUtil.newURI(aHostname);
-        let principal = gSecMan.createCodebasePrincipal(uri, {});
+        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
        this.addPrincipal(principal);
      } catch (e) {
        // newURI will throw for add-ons logins stored in chrome:// URIs
--- a/browser/components/preferences/permissions.js
+++ b/browser/components/preferences/permissions.js
@ -95,12 +95,12 @@ var gPermissionManager = {
      let uri;
      try {
        uri = Services.io.newURI(input_url, null, null);
-        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
        // If we have ended up with an unknown scheme, the following will throw.
        principal.origin;
      } catch(ex) {
        uri = Services.io.newURI("http://" + input_url, null, null);
-        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
        // If we have ended up with an unknown scheme, the following will throw.
        principal.origin;
      }
--- a/browser/components/preferences/tests/browser_permissions.js
+++ b/browser/components/preferences/tests/browser_permissions.js
@ -8,10 +8,8 @@ const ABOUT_PERMISSIONS_SPEC = "about:permissions";
 const TEST_URI_1 = NetUtil.newURI("http://mozilla.com/");
 const TEST_URI_2 = NetUtil.newURI("http://mozilla.org/");

-const TEST_PRINCIPAL_1 =
-  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_1, {});
-const TEST_PRINCIPAL_2 =
-  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_2, {});
+const TEST_PRINCIPAL_1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_1);
+const TEST_PRINCIPAL_2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_2);

 // values from DefaultPermissions object
 const PERM_UNKNOWN = 0;
--- a/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
+++ b/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
@ -15,9 +15,9 @@ const TEST_URI_XUL = TEST_URL_ROOT + "doc_content_stylesheet.xul";
 const XUL_URI = Cc["@mozilla.org/network/io-service;1"]
                .getService(Ci.nsIIOService)
                .newURI(TEST_URI_XUL, null, null);
-let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                            .getService(Ci.nsIScriptSecurityManager);
-const XUL_PRINCIPAL = ssm.createCodebasePrincipal(XUL_URI, {});
+const XUL_PRINCIPAL = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                        .getService(Ci.nsIScriptSecurityManager)
+                        .getNoAppCodebasePrincipal(XUL_URI);

 add_task(function*() {
  info("Checking stylesheets on HTML document");
--- a/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
+++ b/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
@ -995,21 +995,14 @@ PdfStreamConverter.prototype = {

    // We can use resource principal when data is fetched by the chrome
    // e.g. useful for NoScript
-    var ssm = Cc['@mozilla.org/scriptsecuritymanager;1']
-                .getService(Ci.nsIScriptSecurityManager);
+    var securityManager = Cc['@mozilla.org/scriptsecuritymanager;1']
+                          .getService(Ci.nsIScriptSecurityManager);
    var uri = NetUtil.newURI(PDF_VIEWER_WEB_PAGE, null, null);
    // FF16 and below had getCodebasePrincipal, it was replaced by
    // getNoAppCodebasePrincipal (bug 758258).
-    // FF 43 added createCodebasePrincipal to replace getNoAppCodebasePrincipal
-    // (bug 1165272).
-    var resourcePrincipal
-    if ('createCodebasePrincipal' in ssm) {
-      resourcePrincipal = ssm.createCodebasePrincipal(uri, {});
-    } else if ('getNoAppCodebasePrincipal' in ssm) {
-      resourcePrincipal = ssm.getNoAppCodebasePrincipal(uri)
-    } else {
-      resourcePrincipal = ssm.getCodebasePrincipal(uri);
-    }
+    var resourcePrincipal = 'getNoAppCodebasePrincipal' in securityManager ?
+                            securityManager.getNoAppCodebasePrincipal(uri) :
+                            securityManager.getCodebasePrincipal(uri);
    aRequest.owner = resourcePrincipal;
    channel.asyncOpen(proxy, aContext);
  },
--- a/browser/extensions/shumway/chrome/SpecialStorage.jsm
+++ b/browser/extensions/shumway/chrome/SpecialStorage.jsm
@ -22,9 +22,9 @@ var SpecialStorageUtils = {
  createWrappedSpecialStorage: function (sandbox, swfUrl, privateBrowsing) {
    // Creating internal localStorage object based on url and privateBrowsing setting.
    var uri = Services.io.newURI(swfUrl, null, null);
-    var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                                .getService(Components.interfaces.nsIScriptSecurityManager);
-    var principal = ssm.createCodebasePrincipal(uri, {});
+    var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                              .getService(Components.interfaces.nsIScriptSecurityManager)
+                              .getNoAppCodebasePrincipal(uri);
    var dsm = Components.classes["@mozilla.org/dom/localStorage-manager;1"]
                                .getService(Components.interfaces.nsIDOMStorageManager);
    var storage = dsm.createStorage(null, principal, privateBrowsing);
--- a/browser/modules/Feeds.jsm
+++ b/browser/modules/Feeds.jsm
@ -66,8 +66,7 @@ this.Feeds = {
    if (aIsFeed) {
      // re-create the principal as it may be a CPOW.
      let principalURI = BrowserUtils.makeURIFromCPOW(aPrincipal.URI);
-      let principalToCheck =
-        Services.scriptSecurityManager.createCodebasePrincipal(principalURI, {});
+      let principalToCheck = Services.scriptSecurityManager.getNoAppCodebasePrincipal(principalURI);
      try {
        BrowserUtils.urlSecurityCheck(aLink.href, principalToCheck,
                                      Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
--- a/caps/nsIScriptSecurityManager.idl
+++ b/caps/nsIScriptSecurityManager.idl
@ -26,7 +26,7 @@ class DomainPolicyClone;
 [ptr] native JSObjectPtr(JSObject);
 [ptr] native DomainPolicyClonePtr(mozilla::dom::DomainPolicyClone);

-[scriptable, uuid(6e8a4d1e-d9c6-4d86-bf53-d73f58f36148)]
+[scriptable, uuid(9a8f0b70-6b9f-4e19-8885-7cfe24f4a42d)]
 interface nsIScriptSecurityManager : nsISupports
 {
    /**
@ -150,12 +150,10 @@ interface nsIScriptSecurityManager : nsISupports
     * @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID.
     * @param inMozBrowser is true if the principal has to be considered as
     * inside a mozbrowser frame.
-     *
-     * @deprecated use createCodebasePrincipal instead.
     */
-    [deprecated] nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
-                                                      in unsigned long appId,
-                                                      in boolean inMozBrowser);
+    nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
+                                         in unsigned long appId,
+                                         in boolean inMozBrowser);

    /**
     * Returns a principal that has the appId and inMozBrowser of the load
@ -177,10 +175,8 @@ interface nsIScriptSecurityManager : nsISupports
     * Returns a principal with that has the same origin as uri and is not part
     * of an appliction.
     * The returned principal will have appId = NO_APP_ID.
-     *
-     * @deprecated use createCodebasePrincipal instead.
     */
-    [deprecated] nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
+    nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);

    /**
     * Legacy method for getting a principal with no origin attributes.
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -11,7 +11,6 @@
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/AutoRestore.h"
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/Casting.h"
 #include "mozilla/dom/ContentChild.h"
 #include "mozilla/dom/Element.h"
@ -9361,6 +9360,9 @@ nsDocShell::CreatePrincipalFromReferrer(nsIURI* aReferrer,
                                        nsIPrincipal** aResult)
 {
  nsresult rv;
+  nsCOMPtr<nsIScriptSecurityManager> secMan =
+    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);

  uint32_t appId;
  rv = GetAppId(&appId);
@ -9368,14 +9370,12 @@ nsDocShell::CreatePrincipalFromReferrer(nsIURI* aReferrer,
  bool isInBrowserElement;
  rv = GetIsInBrowserElement(&isInBrowserElement);
  NS_ENSURE_SUCCESS(rv, rv);
-
-  // TODO: Bug 1165466 - Pass mOriginAttributes directly.
-  OriginAttributes attrs(appId, isInBrowserElement);
-  nsCOMPtr<nsIPrincipal> prin =
-    BasePrincipal::CreateCodebasePrincipal(aReferrer, attrs);
-  prin.forget(aResult);
-
-  return *aResult ? NS_OK : NS_ERROR_FAILURE;
+  rv = secMan->GetAppCodebasePrincipal(aReferrer,
+                                       appId,
+                                       isInBrowserElement,
+                                       aResult);
+  NS_ENSURE_SUCCESS(rv, rv);
+  return NS_OK;
 }

 NS_IMETHODIMP
--- a/dom/apps/AppsUtils.jsm
+++ b/dom/apps/AppsUtils.jsm
@ -73,9 +73,11 @@ mozIApplication.prototype = {
    this._principal = null;

    try {
-      this._principal = Services.scriptSecurityManager.createCodebasePrincipal(
+      this._principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
        Services.io.newURI(this.origin, null, null),
-        {appId: this.localId});
+        this.localId,
+        false /* mozbrowser */
+      );
    } catch(e) {
      dump("Could not create app principal " + e + "\n");
    }
--- a/dom/apps/OfflineCacheInstaller.jsm
+++ b/dom/apps/OfflineCacheInstaller.jsm
@ -228,8 +228,8 @@ function installCache(app) {
  if (!cacheManifest.exists())
    return;

-  let principal =
-    Services.scriptSecurityManager.createCodebasePrincipal(app.origin, {appId: aApp.localId});
+  let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
+      app.origin, app.localId, false);

  // If the build has been correctly configured, this should not happen!
  // If we install the cache anyway, it won't be updateable. If we don't install
--- a/dom/apps/ScriptPreloader.jsm
+++ b/dom/apps/ScriptPreloader.jsm
@ -40,7 +40,7 @@ this.ScriptPreloader = {
      let toLoad = aManifest.precompile.length;
      let principal =
        Services.scriptSecurityManager
-                .createCodebasePrincipal(origin, {appId: aApp.localId});
+                .getAppCodebasePrincipal(origin, aApp.localId, false);

      aManifest.precompile.forEach((aPath) => {
        let uri = Services.io.newURI(aPath, null, origin);
--- a/dom/apps/Webapps.jsm
+++ b/dom/apps/Webapps.jsm
@ -820,7 +820,8 @@ this.DOMApplicationRegistry = {
    let uri = Services.io.newURI(aOrigin, null, null);
    let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
                   .getService(Ci.nsIScriptSecurityManager);
-    let principal = secMan.createCodebasePrincipal(uri, {appId: aId});
+    let principal = secMan.getAppCodebasePrincipal(uri, aId,
+                                                   /*mozbrowser*/ false);
    if (!dataStoreService.checkPermission(principal)) {
      return;
    }
@ -3368,9 +3369,8 @@ this.DOMApplicationRegistry = {
    let requestChannel;

    let appURI = NetUtil.newURI(aNewApp.origin, null, null);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(appURI,
-                                                             {appId: aNewApp.localId});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
+                      appURI, aNewApp.localId, false);

    if (aIsLocalFileInstall) {
      requestChannel = NetUtil.newChannel({
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@ -95,6 +95,7 @@
 #include "nsThreadUtils.h"
 #include "nsILoadContext.h"
 #include "nsIPresShell.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsIScrollableFrame.h"
 #include "nsView.h"
 #include "nsViewManager.h"
@ -191,7 +192,6 @@
 #include "nsRefreshDriver.h"

 #include "mozilla/AddonPathService.h"
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
 #include "nsLocation.h"
@ -256,8 +256,6 @@ static const char kStorageEnabled[] = "dom.storage.enabled";
 using namespace mozilla;
 using namespace mozilla::dom;
 using namespace mozilla::dom::ipc;
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using mozilla::TimeStamp;
 using mozilla::TimeDuration;
 using mozilla::dom::cache::CacheStorage;
@ -8589,14 +8587,21 @@ nsGlobalWindow::PostMessageMozOuter(JSContext* aCx, JS::Handle<JS::Value> aMessa
      return;
    }

+    nsCOMPtr<nsIScriptSecurityManager> ssm =
+      nsContentUtils::GetSecurityManager();
+    MOZ_ASSERT(ssm);
+
    nsCOMPtr<nsIPrincipal> principal = nsContentUtils::SubjectPrincipal();
    MOZ_ASSERT(principal);

-    OriginAttributes attrs = BasePrincipal::Cast(principal)->OriginAttributesRef();
+    uint32_t appId = principal->GetAppId();
+    bool isInBrowser = principal->GetIsInBrowserElement();
+
    // Create a nsIPrincipal inheriting the app/browser attributes from the
    // caller.
-    providedPrincipal = BasePrincipal::CreateCodebasePrincipal(originURI, attrs);
-    if (NS_WARN_IF(!providedPrincipal)) {
+    nsresult rv = ssm->GetAppCodebasePrincipal(originURI, appId, isInBrowser,
+                                             getter_AddRefs(providedPrincipal));
+    if (NS_WARN_IF(NS_FAILED(rv))) {
      return;
    }
  }
--- a/dom/browser-element/BrowserElementParent.js
+++ b/dom/browser-element/BrowserElementParent.js
@ -833,16 +833,14 @@ BrowserElementParent.prototype = {
      catch(e) {
        debug('Malformed referrer -- ' + e);
      }
-
-      // TODO Bug 1165466: use originAttributes from nsILoadContext.
-      let attrs = {appId: this._frameLoader.loadContext.appId,
-                   inBrowser: this._frameLoader.loadContext.isInBrowserElement};
      // This simply returns null if there is no principal available
      // for the requested uri. This is an acceptable fallback when
      // calling newChannelFromURI2.
-      principal =
-        Services.scriptSecurityManager.createCodebasePrincipal(
-          referrer, attrs);
+      principal = 
+        Services.scriptSecurityManager.getAppCodebasePrincipal(
+          referrer, 
+          this._frameLoader.loadContext.appId, 
+          this._frameLoader.loadContext.isInBrowserElement);
    }

    debug('Using principal? ' + !!principal);
--- a/dom/browser-element/mochitest/browserElement_Auth.js
+++ b/dom/browser-element/mochitest/browserElement_Auth.js
@ -158,17 +158,15 @@ function testAuthJarNoInterfere(e) {

  // Set a bunch of auth data that should not conflict with the correct auth data already
  // stored in the cache.
-  var attrs = {appId: 1};
-  var principal = secMan.createCodebasePrincipal(uri, attrs);
+  var principal = secMan.getAppCodebasePrincipal(uri, 1, false);
  authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                          'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                          '', 'httpuser', 'wrongpass', false, principal);
-  attrs = {appId: 1, inBrowser: true};
-  principal = secMan.createCodebasePrincipal(uri, attrs);
+  principal = secMan.getAppCodebasePrincipal(uri, 1, true);
  authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                          'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                          '', 'httpuser', 'wrongpass', false, principal);
-  principal = secMan.createCodebasePrincipal(uri, {});
+  principal = secMan.getAppCodebasePrincipal(uri, secMan.NO_APP_ID, false);
  authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                          'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                          '', 'httpuser', 'wrongpass', false, principal);
@ -198,7 +196,7 @@ function testAuthJarInterfere(e) {
  var uri = ioService.newURI("http://test/tests/dom/browser-element/mochitest/file_http_401_response.sjs", null, null);

  // Set some auth data that should overwrite the successful stored details.
-  var principal = secMan.createCodebasePrincipal(uri, {inBrowser: true});
+  var principal = secMan.getAppCodebasePrincipal(uri, secMan.NO_APP_ID, true);
  authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                          'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                          '', 'httpuser', 'wrongpass', false, principal);
--- a/dom/cache/test/mochitest/test_chrome_constructor.html
+++ b/dom/cache/test/mochitest/test_chrome_constructor.html
@ -20,7 +20,7 @@
    // attach to a different origin's CacheStorage
    var url = 'http://example.com/';
    var uri = Services.io.newURI(url, null, null);
-    var principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+    var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
    var storage = new CacheStorage('content', principal);

    // verify we can use the other origin's CacheStorage as normal
--- a/dom/datastore/DataStoreService.cpp
+++ b/dom/datastore/DataStoreService.cpp
@ -14,7 +14,6 @@
 #include "mozilla/dom/DataStoreImplBinding.h"
 #include "nsIDataStore.h"

-#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/StaticPtr.h"
@ -57,9 +56,6 @@
    return NS_ERROR_FAILURE;                                                \
  }

-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
-
 namespace mozilla {
 namespace dom {

@ -217,10 +213,17 @@ ResetPermission(uint32_t aAppId, const nsAString& aOriginURL,
    return rv;
  }

-  OriginAttributes attrs(aAppId, false);
-  nsCOMPtr<nsIPrincipal> principal =
-    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+  if (!ssm) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIPrincipal> principal;
+  rv = ssm->GetAppCodebasePrincipal(uri, aAppId, false,
+                                    getter_AddRefs(principal));
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }

  nsCOMPtr<nsIPermissionManager> pm =
    do_GetService(NS_PERMISSIONMANAGER_CONTRACTID);
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@ -18519,6 +18519,12 @@ FactoryOp::CheckAtLeastOneAppHasPermission(ContentParent* aContentParent,
      return false;
    }

+    nsCOMPtr<nsIScriptSecurityManager> secMan =
+      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+    if (NS_WARN_IF(!secMan)) {
+      return false;
+    }
+
    nsCOMPtr<nsIPermissionManager> permMan =
      mozilla::services::GetPermissionManager();
    if (NS_WARN_IF(!permMan)) {
@ -18542,9 +18548,24 @@ FactoryOp::CheckAtLeastOneAppHasPermission(ContentParent* aContentParent,
        return false;
      }

+      nsString origin;
+      rv = app->GetOrigin(origin);
+      if (NS_WARN_IF(NS_FAILED(rv))) {
+        return false;
+      }
+
+      nsCOMPtr<nsIURI> uri;
+      rv = NS_NewURI(getter_AddRefs(uri), origin, nullptr, nullptr, ioService);
+      if (NS_WARN_IF(NS_FAILED(rv))) {
+        return false;
+      }
+
      nsCOMPtr<nsIPrincipal> principal;
-      app->GetPrincipal(getter_AddRefs(principal));
-      NS_ENSURE_TRUE(principal, false);
+      rv = secMan->GetAppCodebasePrincipal(uri, appId, false,
+                                           getter_AddRefs(principal));
+      if (NS_WARN_IF(NS_FAILED(rv))) {
+        return false;
+      }

      uint32_t permission;
      rv = permMan->TestExactPermissionFromPrincipal(principal,
--- a/dom/indexedDB/test/head.js
+++ b/dom/indexedDB/test/head.js
@ -116,9 +116,9 @@ function setPermission(url, permission)
  let uri = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService)
                      .newURI(url, null, null);
-  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                      .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  Components.classes["@mozilla.org/permissionmanager;1"]
            .getService(nsIPermissionManager)
@ -131,9 +131,9 @@ function removePermission(url, permission)
  let uri = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService)
                      .newURI(url, null, null);
-  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                      .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  Components.classes["@mozilla.org/permissionmanager;1"]
            .getService(Components.interfaces.nsIPermissionManager)
@ -145,9 +145,9 @@ function getPermission(url, permission)
  let uri = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService)
                      .newURI(url, null, null);
-  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                      .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  return Components.classes["@mozilla.org/permissionmanager;1"]
                   .getService(Components.interfaces.nsIPermissionManager)
--- a/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
+++ b/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
@ -90,10 +90,13 @@ function testSteps()
    let request;
    if ("url" in params) {
      let uri = ios.newURI(params.url, null, null);
-      let principal =
-        ssm.createCodebasePrincipal(uri,
-                                    {appId: params.appId || ssm.NO_APPID,
-                                     inBrowser: params.inMozBrowser});
+      let principal;
+      if ("appId" in params) {
+        principal = ssm.getAppCodebasePrincipal(uri, params.appId,
+                                                params.inMozBrowser);
+      } else {
+        principal = ssm.getNoAppCodebasePrincipal(uri);
+      }
      if ("dbVersion" in params) {
        request = indexedDB.openForPrincipal(principal, params.dbName,
                                             params.dbVersion);
--- a/dom/indexedDB/test/unit/test_idle_maintenance.js
+++ b/dom/indexedDB/test/unit/test_idle_maintenance.js
@ -10,9 +10,9 @@ function testSteps()
  let uri = Cc["@mozilla.org/network/io-service;1"].
            getService(Ci.nsIIOService).
            newURI("https://www.example.com", null, null);
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
+                  getService(Ci.nsIScriptSecurityManager).
+                  getNoAppCodebasePrincipal(uri);

  info("Setting permissions");

--- a/dom/indexedDB/test/unit/test_metadataRestore.js
+++ b/dom/indexedDB/test/unit/test_metadataRestore.js
@ -67,7 +67,7 @@ function testSteps()
    let request;
    if ("url" in params) {
      let uri = ios.newURI(params.url, null, null);
-      let principal = ssm.createCodebasePrincipal(uri, {});
+      let principal = ssm.getNoAppCodebasePrincipal(uri);
      request = indexedDB.openForPrincipal(principal, params.dbName,
                                           params.dbOptions);
    } else {
--- a/dom/indexedDB/test/unit/test_open_for_principal.js
+++ b/dom/indexedDB/test/unit/test_open_for_principal.js
@ -48,9 +48,9 @@ function testSteps()
  let uri = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService)
                      .newURI("http://appdata.example.com", null, null);
-  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                      .getService(Components.interfaces.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                     .getService(Components.interfaces.nsIScriptSecurityManager)
+                     .getNoAppCodebasePrincipal(uri);

  request = indexedDB.openForPrincipal(principal, name, 1);
  request.onerror = errorHandler;
--- a/dom/indexedDB/test/unit/test_temporary_storage.js
+++ b/dom/indexedDB/test/unit/test_temporary_storage.js
@ -34,9 +34,9 @@ function testSteps()
    let uri = Cc["@mozilla.org/network/io-service;1"]
                .getService(Ci.nsIIOService)
                .newURI(url, null, null);
-    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                .getService(Ci.nsIScriptSecurityManager);
-    return ssm.createCodebasePrincipal(uri, {});
+    return Cc["@mozilla.org/scriptsecuritymanager;1"]
+             .getService(Ci.nsIScriptSecurityManager)
+             .getNoAppCodebasePrincipal(uri);
  }

  for (let temporary of [true, false]) {
--- a/dom/ipc/AppProcessChecker.cpp
+++ b/dom/ipc/AppProcessChecker.cpp
@ -12,6 +12,7 @@
 #include "mozilla/hal_sandbox/PHalParent.h"
 #include "nsIAppsService.h"
 #include "nsIPrincipal.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsPrintfCString.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
@ -231,10 +232,21 @@ GetAppPrincipal(uint32_t aAppId)
  nsresult rv = appsService->GetAppByLocalId(aAppId, getter_AddRefs(app));
  NS_ENSURE_SUCCESS(rv, nullptr);

-  nsCOMPtr<nsIPrincipal> principal;
-  app->GetPrincipal(getter_AddRefs(principal));
+  nsString origin;
+  rv = app->GetOrigin(origin);
+  NS_ENSURE_SUCCESS(rv, nullptr);

-  return principal.forget();
+  nsCOMPtr<nsIURI> uri;
+  NS_NewURI(getter_AddRefs(uri), origin);
+
+  nsCOMPtr<nsIScriptSecurityManager> secMan =
+    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+
+  nsCOMPtr<nsIPrincipal> appPrincipal;
+  rv = secMan->GetAppCodebasePrincipal(uri, aAppId, false,
+                                       getter_AddRefs(appPrincipal));
+  NS_ENSURE_SUCCESS(rv, nullptr);
+  return appPrincipal.forget();
 }

 uint32_t
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@ -1562,15 +1562,23 @@ TabChild::MaybeRequestPreinitCamera()
      return;
    }

-    nsCOMPtr<mozIApplication> app;
-    nsresult rv = appsService->GetAppByLocalId(OwnAppId(), getter_AddRefs(app));
+    nsString manifestUrl = EmptyString();
+    appsService->GetManifestURLByLocalId(OwnAppId(), manifestUrl);
+    nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+    if (NS_WARN_IF(!secMan)) {
+      return;
+    }
+
+    nsCOMPtr<nsIURI> uri;
+    nsresult rv = NS_NewURI(getter_AddRefs(uri), manifestUrl);
    if (NS_WARN_IF(NS_FAILED(rv))) {
      return;
    }

    nsCOMPtr<nsIPrincipal> principal;
-    app->GetPrincipal(getter_AddRefs(principal));
-    if (NS_WARN_IF(!principal)) {
+    rv = secMan->GetAppCodebasePrincipal(uri, OwnAppId(), false,
+                                         getter_AddRefs(principal));
+    if (NS_WARN_IF(NS_FAILED(rv))) {
      return;
    }

--- a/dom/payment/Payment.jsm
+++ b/dom/payment/Payment.jsm
@ -236,9 +236,8 @@ let PaymentManager =  {
        if (systemAppId != Ci.nsIScriptSecurityManager.NO_APP_ID) {
          this.LOG("Granting firefox-accounts permission to " + provider.uri);
          let uri = Services.io.newURI(provider.uri, null, null);
-          let attrs = {appId: systemAppId, inBrowser: true};
-          let principal =
-            Services.scriptSecurityManager.createCodebasePrincipal(uri, attrs);
+          let principal = Services.scriptSecurityManager
+                            .getAppCodebasePrincipal(uri, systemAppId, true);

          Services.perms.addFromPrincipal(principal, "firefox-accounts",
                                          Ci.nsIPermissionManager.ALLOW_ACTION,
--- a/dom/permission/PermissionSettings.js
+++ b/dom/permission/PermissionSettings.js
@ -35,14 +35,10 @@ XPCOMUtils.defineLazyServiceGetter(this,

 PermissionSettings.prototype = {
  get: function get(aPermName, aManifestURL, aOrigin, aBrowserFlag) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
    debug("Get called with: " + aPermName + ", " + aManifestURL + ", " + aOrigin + ", " + aBrowserFlag);
    let uri = Services.io.newURI(aOrigin, null, null);
    let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(uri,
-                                                             {appId: appID,
-                                                              inBrowser: aBrowserFlag});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, aBrowserFlag);
    let result = Services.perms.testExactPermanentPermission(principal, aPermName);

    switch (result)
@ -63,12 +59,11 @@ PermissionSettings.prototype = {

  isExplicit: function isExplicit(aPermName, aManifestURL, aOrigin,
                                  aBrowserFlag) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
    debug("isExplicit: " + aPermName + ", " + aManifestURL + ", " + aOrigin);
    let uri = Services.io.newURI(aOrigin, null, null);
    let app = appsService.getAppByManifestURL(aManifestURL);
    let principal = Services.scriptSecurityManager
-      .createCodebasePrincipal(uri, {appId: app.localId, inBrowser: aBrowserFlag});
+      .getAppCodebasePrincipal(uri, app.localId, aBrowserFlag);

    return isExplicitInPermissionsTable(aPermName,
                                        principal.appStatus,
@ -104,13 +99,9 @@ PermissionSettings.prototype = {
  },

  remove: function remove(aPermName, aManifestURL, aOrigin) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
    let uri = Services.io.newURI(aOrigin, null, null);
    let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(uri,
-                                                             {appId: appID,
-                                                              inBrowser: true});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, true);

    if (principal.appStatus !== Ci.nsIPrincipal.APP_STATUS_NOT_INSTALLED) {
      let errorMsg = "PermissionSettings.js: '" + aOrigin + "'" +
--- a/dom/permission/PermissionSettings.jsm
+++ b/dom/permission/PermissionSettings.jsm
@ -67,13 +67,9 @@ this.PermissionSettingsModule = {


  _internalAddPermission: function _internalAddPermission(aData, aAllowAllChanges, aCallbacks) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.jsm
    let uri = Services.io.newURI(aData.origin, null, null);
    let app = appsService.getAppByManifestURL(aData.manifestURL);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(uri,
-                                                             {appId: app.localId,
-                                                              inBrowser: aData.browserFlag});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, app.localId, aData.browserFlag);

    let action;
    switch (aData.value)
@ -107,14 +103,10 @@ this.PermissionSettingsModule = {
  },

  getPermission: function getPermission(aPermName, aManifestURL, aOrigin, aBrowserFlag) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.jsm
    debug("getPermission: " + aPermName + ", " + aManifestURL + ", " + aOrigin);
    let uri = Services.io.newURI(aOrigin, null, null);
    let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(uri,
-                                                             {appId: appID,
-                                                              inBrowser: aBrowserFlag});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, aBrowserFlag);
    let result = Services.perms.testExactPermissionFromPrincipal(principal, aPermName);

    switch (result)
--- a/dom/quota/QuotaManager.cpp
+++ b/dom/quota/QuotaManager.cpp
@ -5288,9 +5288,10 @@ StorageDirectoryHelper::RunOnMainThread()
          rv = secMan->GetSimpleCodebasePrincipal(uri,
                                                  getter_AddRefs(principal));
        } else {
-          OriginAttributes attrs(originProps.mAppId, originProps.mInMozBrowser);
-          principal = BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-          rv = principal ? NS_OK : NS_ERROR_FAILURE;
+          rv = secMan->GetAppCodebasePrincipal(uri,
+                                               originProps.mAppId,
+                                               originProps.mInMozBrowser,
+                                               getter_AddRefs(principal));
        }
        if (NS_WARN_IF(NS_FAILED(rv))) {
          return rv;
--- a/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
+++ b/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
@ -27,9 +27,9 @@ function make_uri(url) {
 // Ensure "fullscreen" permissions are not present on the test URI.
 var pm = Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
 var uri = make_uri("http://mochi.test:8888");
-var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                            .getService(Ci.nsIScriptSecurityManager);
-var principal = ssm.createCodebasePrincipal(uri, {});
+var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                  .getService(Ci.nsIScriptSecurityManager)
+                  .getNoAppCodebasePrincipal(uri);
 pm.removeFromPrincipal(principal, "fullscreen");

 SpecialPowers.pushPrefEnv({"set": [
--- a/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
+++ b/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
@ -18,11 +18,11 @@ function startTest()
    .getService(Components.interfaces.nsIDOMStorageManager);

  var uri = ios.newURI(url, "", null);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = ssm.getNoAppCodebasePrincipal(uri);
  var storage = dsm.createStorage(window, principal, "");
-
+  
  storage.setItem("chromekey", "chromevalue");
-
+  
  var aframe = document.getElementById("aframe");
  aframe.onload = function()
  {
--- a/extensions/cookie/nsPermission.cpp
+++ b/extensions/cookie/nsPermission.cpp
@ -7,6 +7,7 @@
 #include "nsContentUtils.h"
 #include "nsIClassInfoImpl.h"
 #include "nsIEffectiveTLDService.h"
+#include "nsIScriptSecurityManager.h"
 #include "mozilla/BasePrincipal.h"

 // nsPermission Implementation
@ -167,9 +168,12 @@ nsPermission::MatchesURI(nsIURI* aURI, bool aExactHost, bool* aMatches)
 {
  NS_ENSURE_ARG_POINTER(aURI);

-  mozilla::OriginAttributes attrs;
-  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
-  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
+
+  nsCOMPtr<nsIPrincipal> principal;
+  nsresult rv = secMan->GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
+  NS_ENSURE_SUCCESS(rv, rv);

  return Matches(principal, aExactHost, aMatches);
 }
--- a/extensions/cookie/nsPermissionManager.cpp
+++ b/extensions/cookie/nsPermissionManager.cpp
@ -126,24 +126,19 @@ GetPrincipalFromOrigin(const nsACString& aOrigin, nsIPrincipal** aPrincipal)
 nsresult
 GetPrincipal(nsIURI* aURI, uint32_t aAppId, bool aIsInBrowserElement, nsIPrincipal** aPrincipal)
 {
-  // TODO: Bug 1165267 - Use OriginAttributes for nsCookieService
-  mozilla::OriginAttributes attrs(aAppId, aIsInBrowserElement);
-  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
-  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);

-  principal.forget(aPrincipal);
-  return NS_OK;
+  return secMan->GetAppCodebasePrincipal(aURI, aAppId, aIsInBrowserElement, aPrincipal);
 }

 nsresult
 GetPrincipal(nsIURI* aURI, nsIPrincipal** aPrincipal)
 {
-  mozilla::OriginAttributes attrs;
-  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
-  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);

-  principal.forget(aPrincipal);
-  return NS_OK;
+  return secMan->GetNoAppCodebasePrincipal(aURI, aPrincipal);
 }

 nsCString
--- a/extensions/cookie/test/test_app_uninstall_permissions.html
+++ b/extensions/cookie/test/test_app_uninstall_permissions.html
@ -67,22 +67,19 @@ function onInstall() {

  var currentPermissionCount = getPermissionCountForApp(-1);

-  var attrs = {appId: testAppId};
-  var principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
-                                                 attrs);
+  var principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
+                                                 testAppId, false);

  permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);
  permManager.addFromPrincipal(principal, "foo", Ci.nsIPermissionManager.DENY_ACTION);
  permManager.addFromPrincipal(principal, "bar", Ci.nsIPermissionManager.ALLOW_ACTION, Ci.nsIPermissionManager.EXPIRE_SESSION, 0);

-  attrs = {appId: testAppId, inBrowser: true};
-  principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
-                                             attrs);
+  principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
+                                             testAppId, true);
  permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);

-  attrs = {appId: testAppId};
-  principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.org", null, null),
-                                             attrs);
+  principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.org", null, null),
+                                             testAppId, false);
  permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);

  is(getPermissionCountForApp(testAppId), 5, "App should have 5 permissions");
--- a/extensions/cookie/test/unit/test_permmanager_cleardata.js
+++ b/extensions/cookie/test/unit/test_permmanager_cleardata.js
@ -6,8 +6,7 @@ let pm;
 // Create a principal based on the { origin, appId, browserElement }.
 function createPrincipal(aOrigin, aAppId, aBrowserElement)
 {
-  var attrs = {appId: aAppId, inBrowser: aBrowserElement};
-  return Services.scriptSecurityManager.createCodebasePrincipal(NetUtil.newURI(aOrigin), attrs);
+  return Services.scriptSecurityManager.getAppCodebasePrincipal(NetUtil.newURI(aOrigin), aAppId, aBrowserElement);
 }

 // Return the subject required by 'webapps-clear-data' notification.
--- a/extensions/cookie/test/unit/test_permmanager_defaults.js
+++ b/extensions/cookie/test/unit/test_permmanager_defaults.js
@ -51,14 +51,12 @@ add_task(function* do_test() {
           getService(Ci.nsIPermissionManager);

  // test the default permission was applied.
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, {});
-  let principalHttps = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_HTTPS, {});
-  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_2, {});
-  let principal3 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, {});
-
-  let attrs = {appId: 1000, inBrowser: true};
-  let principal4 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, attrs);
-  let principal5 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, attrs);
+  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN);
+  let principalHttps = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_HTTPS);
+  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_2);
+  let principal3 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_3);
+  let principal4 = Services.scriptSecurityManager.getAppCodebasePrincipal(TEST_ORIGIN, 1000, true);
+  let principal5 = Services.scriptSecurityManager.getAppCodebasePrincipal(TEST_ORIGIN_3, 1000, true);

  do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
              pm.testPermissionFromPrincipal(principal, TEST_PERMISSION));
@ -224,7 +222,7 @@ function checkCapabilityViaDB(expected, origin = TEST_ORIGIN, type = TEST_PERMIS
 // value (ie, the "capability" in nsIPermission parlance) or null if it can't
 // be found.
 function findCapabilityViaDB(origin = TEST_ORIGIN, type = TEST_PERMISSION) {
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(origin, {});
+  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(origin);
  let originStr = principal.origin;

  let file = Services.dirsvc.get("ProfD", Ci.nsIFile);
--- a/extensions/cookie/test/unit/test_permmanager_expiration.js
+++ b/extensions/cookie/test/unit/test_permmanager_expiration.js
@ -21,7 +21,7 @@ function do_run_test() {

  let pm = Services.perms;
  let permURI = NetUtil.newURI("http://example.com");
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(permURI, {});
+  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI);

  let now = Number(Date.now());

--- a/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
+++ b/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
@ -1,11 +1,10 @@
 /* Any copyright is dedicated to the Public Domain.
   http://creativecommons.org/publicdomain/zero/1.0/ */

-function getPrincipalFromURI(aURI) {
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI(aURI);
-  return ssm.createCodebasePrincipal(uri, {});
+function getPrincipalFromURI(uri) {
+  return Cc["@mozilla.org/scriptsecuritymanager;1"]
+           .getService(Ci.nsIScriptSecurityManager)
+           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
 }

 function getSystemPrincipal() {
--- a/extensions/cookie/test/unit/test_permmanager_idn.js
+++ b/extensions/cookie/test/unit/test_permmanager_idn.js
@ -2,10 +2,9 @@
   http://creativecommons.org/publicdomain/zero/1.0/ */

 function getPrincipalFromDomain(aDomain) {
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI("http://" + aDomain);
-  return ssm.createCodebasePrincipal(uri, {});
+  return Cc["@mozilla.org/scriptsecuritymanager;1"]
+           .getService(Ci.nsIScriptSecurityManager)
+           .getNoAppCodebasePrincipal(NetUtil.newURI("http://" + aDomain));
 }

 function run_test() {
@ -46,4 +45,4 @@ function run_test() {
  do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
  witnessPrincipal = getPrincipalFromDomain("foo.bar.com");
  do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
-}
+}
--- a/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
+++ b/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
@ -134,9 +134,8 @@ function run_test() {
  do_check_true(numMigrated > 0, "we found at least 1 record that was migrated");

  // This permission should always be there.
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI("http://example.org");
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.org"));
  do_check_eq(pm.testPermissionFromPrincipal(principal, 'test-load-invalid-entries'), Ci.nsIPermissionManager.ALLOW_ACTION);
 }
--- a/extensions/cookie/test/unit/test_permmanager_local_files.js
+++ b/extensions/cookie/test/unit/test_permmanager_local_files.js
@ -5,8 +5,7 @@

 function getPrincipalFromURIString(uriStr)
 {
-  let uri = NetUtil.newURI(uriStr);
-  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(NetUtil.newURI(uriStr));
 }

 function run_test() {
--- a/extensions/cookie/test/unit/test_permmanager_matches.js
+++ b/extensions/cookie/test/unit/test_permmanager_matches.js
@ -38,44 +38,40 @@ function run_test() {
  let uri4 = NetUtil.newURI("https://hangouts.google.com/#!/hangout", null, null);
  let uri5 = NetUtil.newURI("http://google.com:8096/", null, null);

-  let uri0_n_n = secMan.createCodebasePrincipal(uri0, {});
-  let uri1_n_n = secMan.createCodebasePrincipal(uri1, {});
-  let uri2_n_n = secMan.createCodebasePrincipal(uri2, {});
-  let uri3_n_n = secMan.createCodebasePrincipal(uri3, {});
-  let uri4_n_n = secMan.createCodebasePrincipal(uri4, {});
-  let uri5_n_n = secMan.createCodebasePrincipal(uri5, {});
+  let uri0_n_n = secMan.getNoAppCodebasePrincipal(uri0);
+  let uri1_n_n = secMan.getNoAppCodebasePrincipal(uri1);
+  let uri2_n_n = secMan.getNoAppCodebasePrincipal(uri2);
+  let uri3_n_n = secMan.getNoAppCodebasePrincipal(uri3);
+  let uri4_n_n = secMan.getNoAppCodebasePrincipal(uri4);
+  let uri5_n_n = secMan.getNoAppCodebasePrincipal(uri5);

-  let attrs = {appId: 1000};
-  let uri0_1000_n = secMan.createCodebasePrincipal(uri0, attrs);
-  let uri1_1000_n = secMan.createCodebasePrincipal(uri1, attrs);
-  let uri2_1000_n = secMan.createCodebasePrincipal(uri2, attrs);
-  let uri3_1000_n = secMan.createCodebasePrincipal(uri3, attrs);
-  let uri4_1000_n = secMan.createCodebasePrincipal(uri4, attrs);
-  let uri5_1000_n = secMan.createCodebasePrincipal(uri5, attrs);
+  let uri0_1000_n = secMan.getAppCodebasePrincipal(uri0, 1000, false);
+  let uri1_1000_n = secMan.getAppCodebasePrincipal(uri1, 1000, false);
+  let uri2_1000_n = secMan.getAppCodebasePrincipal(uri2, 1000, false);
+  let uri3_1000_n = secMan.getAppCodebasePrincipal(uri3, 1000, false);
+  let uri4_1000_n = secMan.getAppCodebasePrincipal(uri4, 1000, false);
+  let uri5_1000_n = secMan.getAppCodebasePrincipal(uri5, 1000, false);

-  attrs = {appId: 1000, inBrowser: true};
-  let uri0_1000_y = secMan.createCodebasePrincipal(uri0, attrs);
-  let uri1_1000_y = secMan.createCodebasePrincipal(uri1, attrs);
-  let uri2_1000_y = secMan.createCodebasePrincipal(uri2, attrs);
-  let uri3_1000_y = secMan.createCodebasePrincipal(uri3, attrs);
-  let uri4_1000_y = secMan.createCodebasePrincipal(uri4, attrs);
-  let uri5_1000_y = secMan.createCodebasePrincipal(uri5, attrs);
+  let uri0_1000_y = secMan.getAppCodebasePrincipal(uri0, 1000, true);
+  let uri1_1000_y = secMan.getAppCodebasePrincipal(uri1, 1000, true);
+  let uri2_1000_y = secMan.getAppCodebasePrincipal(uri2, 1000, true);
+  let uri3_1000_y = secMan.getAppCodebasePrincipal(uri3, 1000, true);
+  let uri4_1000_y = secMan.getAppCodebasePrincipal(uri4, 1000, true);
+  let uri5_1000_y = secMan.getAppCodebasePrincipal(uri5, 1000, true);

-  attrs = {appId: 2000};
-  let uri0_2000_n = secMan.createCodebasePrincipal(uri0, attrs);
-  let uri1_2000_n = secMan.createCodebasePrincipal(uri1, attrs);
-  let uri2_2000_n = secMan.createCodebasePrincipal(uri2, attrs);
-  let uri3_2000_n = secMan.createCodebasePrincipal(uri3, attrs);
-  let uri4_2000_n = secMan.createCodebasePrincipal(uri4, attrs);
-  let uri5_2000_n = secMan.createCodebasePrincipal(uri5, attrs);
+  let uri0_2000_n = secMan.getAppCodebasePrincipal(uri0, 2000, false);
+  let uri1_2000_n = secMan.getAppCodebasePrincipal(uri1, 2000, false);
+  let uri2_2000_n = secMan.getAppCodebasePrincipal(uri2, 2000, false);
+  let uri3_2000_n = secMan.getAppCodebasePrincipal(uri3, 2000, false);
+  let uri4_2000_n = secMan.getAppCodebasePrincipal(uri4, 2000, false);
+  let uri5_2000_n = secMan.getAppCodebasePrincipal(uri5, 2000, false);

-  attrs = {appId: 2000, inBrowser: true};
-  let uri0_2000_y = secMan.createCodebasePrincipal(uri0, attrs);
-  let uri1_2000_y = secMan.createCodebasePrincipal(uri1, attrs);
-  let uri2_2000_y = secMan.createCodebasePrincipal(uri2, attrs);
-  let uri3_2000_y = secMan.createCodebasePrincipal(uri3, attrs);
-  let uri4_2000_y = secMan.createCodebasePrincipal(uri4, attrs);
-  let uri5_2000_y = secMan.createCodebasePrincipal(uri5, attrs);
+  let uri0_2000_y = secMan.getAppCodebasePrincipal(uri0, 2000, true);
+  let uri1_2000_y = secMan.getAppCodebasePrincipal(uri1, 2000, true);
+  let uri2_2000_y = secMan.getAppCodebasePrincipal(uri2, 2000, true);
+  let uri3_2000_y = secMan.getAppCodebasePrincipal(uri3, 2000, true);
+  let uri4_2000_y = secMan.getAppCodebasePrincipal(uri4, 2000, true);
+  let uri5_2000_y = secMan.getAppCodebasePrincipal(uri5, 2000, true);

  pm.addFromPrincipal(uri0_n_n, "test/matches", pm.ALLOW_ACTION);
  let perm_n_n = pm.getPermissionObject(uri0_n_n, "test/matches", true);
--- a/extensions/cookie/test/unit/test_permmanager_matchesuri.js
+++ b/extensions/cookie/test/unit/test_permmanager_matchesuri.js
@ -30,9 +30,9 @@ function mk_permission(uri, isAppPermission = false) {
        .getService(Ci.nsIScriptSecurityManager);

  // Get the permission from the principal!
-  let attrs = {appId: 1000};
-  let principal =
-    secMan.createCodebasePrincipal(uri, isAppPermission ? attrs : {});
+  let principal = isAppPermission ?
+        secMan.getAppCodebasePrincipal(uri, 1000, false) :
+        secMan.getNoAppCodebasePrincipal(uri);

  pm.addFromPrincipal(principal, "test/matchesuri", pm.ALLOW_ACTION);
  let permission = pm.getPermissionObject(principal, "test/matchesuri", true);
--- a/extensions/cookie/test/unit/test_permmanager_notifications.js
+++ b/extensions/cookie/test/unit/test_permmanager_notifications.js
@ -23,10 +23,9 @@ function do_run_test() {
  let pm = Services.perms;
  let now = Number(Date.now());
  let permType = "test/expiration-perm";
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI("http://example.com");
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.com"));

  let observer = new permission_observer(test_generator, now, permType);
  Services.obs.addObserver(observer, "perm-changed", false);
--- a/extensions/cookie/test/unit/test_permmanager_removesince.js
+++ b/extensions/cookie/test/unit/test_permmanager_removesince.js
@ -24,10 +24,10 @@ function do_run_test() {
  // to help with testing edge-cases, we will arrange for .removeAllSince to
  // remove *all* permissions from one principal and one permission from another.
  let permURI1 = NetUtil.newURI("http://example.com");
-  let principal1 = Services.scriptSecurityManager.createCodebasePrincipal(permURI1, {});
+  let principal1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI1);

  let permURI2 = NetUtil.newURI("http://example.org");
-  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(permURI2, {});
+  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI2);

  // add a permission now - this isn't going to be removed.
  pm.addFromPrincipal(principal1, "test/remove-since", 1);
--- a/extensions/cookie/test/unit/test_permmanager_subdomains.js
+++ b/extensions/cookie/test/unit/test_permmanager_subdomains.js
@ -1,11 +1,10 @@
 /* Any copyright is dedicated to the Public Domain.
   http://creativecommons.org/publicdomain/zero/1.0/ */

-function getPrincipalFromURI(aURI) {
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI(aURI);
-  return ssm.createCodebasePrincipal(uri, {});
+function getPrincipalFromURI(uri) {
+  return Cc["@mozilla.org/scriptsecuritymanager;1"]
+           .getService(Ci.nsIScriptSecurityManager)
+           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
 }

 function run_test() {
@ -54,4 +53,4 @@ function run_test() {
  do_check_eq(pm.testPermissionFromPrincipal(sub1Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
  do_check_eq(pm.testPermissionFromPrincipal(sub2Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
  do_check_eq(pm.testPermissionFromPrincipal(subsubPrincipal, "test/subdomains"), pm.UNKNOWN_ACTION);
-}
+}
--- a/extensions/cookie/test/unit_ipc/test_child.js
+++ b/extensions/cookie/test/unit_ipc/test_child.js
@ -12,9 +12,9 @@ function isParentProcess() {

 function getPrincipalForURI(aURI) {
  var uri =  gIoService.newURI(aURI, null, null);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  return ssm.createCodebasePrincipal(uri, {});
+  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                   .getService(Ci.nsIScriptSecurityManager)
+                   .getNoAppCodebasePrincipal(uri);
 }

 function run_test() {
--- a/extensions/cookie/test/unit_ipc/test_parent.js
+++ b/extensions/cookie/test/unit_ipc/test_parent.js
@ -12,9 +12,9 @@ function isParentProcess() {

 function getPrincipalForURI(aURI) {
  var uri = gIoService.newURI(aURI, null, null);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  return ssm.createCodebasePrincipal(uri, {});
+  return Cc["@mozilla.org/scriptsecuritymanager;1"]
+           .getService(Ci.nsIScriptSecurityManager)
+           .getNoAppCodebasePrincipal(uri);
 }

 function run_test() {
--- a/gfx/thebes/gfxSVGGlyphs.cpp
+++ b/gfx/thebes/gfxSVGGlyphs.cpp
@ -19,10 +19,10 @@
 #include "nsStringStream.h"
 #include "nsStreamUtils.h"
 #include "nsIPrincipal.h"
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/LoadInfo.h"
 #include "nsSVGUtils.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsHostObjectProtocolHandler.h"
 #include "nsContentUtils.h"
 #include "gfxFont.h"
@ -348,10 +348,9 @@ gfxSVGGlyphsDocument::ParseDocument(const uint8_t *aBuffer, uint32_t aBufLen)
    rv = NS_NewURI(getter_AddRefs(uri), mSVGGlyphsDocumentURI);
    NS_ENSURE_SUCCESS(rv, rv);

-    OriginAttributes attrs;
-    nsCOMPtr<nsIPrincipal> principal =
-        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-    NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+    nsCOMPtr<nsIPrincipal> principal;
+    nsContentUtils::GetSecurityManager()->
+        GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));

    nsCOMPtr<nsIDOMDocument> domDoc;
    rv = NS_NewDOMDocument(getter_AddRefs(domDoc),
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@ -6,7 +6,6 @@

 #include "MainThreadUtils.h"
 #include "mozilla/Assertions.h"
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/ipc/PBackgroundSharedTypes.h"
 #include "mozilla/net/NeckoChannelParams.h"
 #include "nsPrincipal.h"
@ -24,8 +23,6 @@ namespace net {
 class OptionalLoadInfoArgs;
 }

-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using namespace mozilla::net;

 namespace ipc {
@ -80,10 +77,10 @@ PrincipalInfoToPrincipal(const PrincipalInfo& aPrincipalInfo,
      if (info.appId() == nsIScriptSecurityManager::UNKNOWN_APP_ID) {
        rv = secMan->GetSimpleCodebasePrincipal(uri, getter_AddRefs(principal));
      } else {
-        // TODO: Bug 1167100 - User nsIPrincipal.originAttribute in ContentPrincipalInfo
-        OriginAttributes attrs(info.appId(), info.isInBrowserElement());
-        principal = BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-        rv = principal ? NS_OK : NS_ERROR_FAILURE;
+        rv = secMan->GetAppCodebasePrincipal(uri,
+                                             info.appId(),
+                                             info.isInBrowserElement(),
+                                             getter_AddRefs(principal));
      }
      if (NS_WARN_IF(NS_FAILED(rv))) {
        return nullptr;
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@ -16,6 +16,7 @@
 #include "nsGlobalWindow.h"
 #include "nsIScriptContext.h"
 #include "nsIScriptObjectPrincipal.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsIURI.h"
 #include "nsJSUtils.h"
 #include "nsNetUtil.h"
@ -1192,15 +1193,15 @@ ParsePrincipal(JSContext* cx, HandleString codebase, nsIPrincipal** principal)
        return false;
    }

+    nsCOMPtr<nsIScriptSecurityManager> secman =
+        do_GetService(kScriptSecurityManagerContractID);
+    NS_ENSURE_TRUE(secman, false);
+
    // We could allow passing in the app-id and browser-element info to the
    // sandbox constructor. But creating a sandbox based on a string is a
    // deprecated API so no need to add features to it.
-    OriginAttributes attrs;
-    nsCOMPtr<nsIPrincipal> prin =
-        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-    prin.forget(principal);
-
-    if (!*principal) {
+    rv = secman->GetNoAppCodebasePrincipal(uri, principal);
+    if (NS_FAILED(rv) || !*principal) {
        JS_ReportError(cx, "Creating Principal from URI failed");
        return false;
    }
--- a/netwerk/cookie/CookieServiceParent.cpp
+++ b/netwerk/cookie/CookieServiceParent.cpp
@ -7,7 +7,6 @@
 #include "mozilla/dom/PContentParent.h"
 #include "mozilla/net/NeckoParent.h"

-#include "mozilla/BasePrincipal.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "nsCookieService.h"
 #include "nsIScriptSecurityManager.h"
@ -17,8 +16,6 @@
 #include "SerializedLoadContext.h"

 using namespace mozilla::ipc;
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using mozilla::dom::PContentParent;
 using mozilla::net::NeckoParent;

@ -32,16 +29,16 @@ CreateDummyChannel(nsIURI* aHostURI, uint32_t aAppId, bool aInMozBrowser,
 {
  MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);

-  // TODO: Bug 1165267 - Use OriginAttributes for nsCookieService 
-  OriginAttributes attrs(aAppId, aInMozBrowser);
-  nsCOMPtr<nsIPrincipal> principal =
-    BasePrincipal::CreateCodebasePrincipal(aHostURI, attrs);
-  if (!principal) {
+  nsCOMPtr<nsIPrincipal> principal;
+  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+  nsresult rv = ssm->GetAppCodebasePrincipal(aHostURI, aAppId, aInMozBrowser,
+                                             getter_AddRefs(principal));
+  if (NS_FAILED(rv)) {
    return;
  }

  nsCOMPtr<nsIURI> dummyURI;
-  nsresult rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
+  rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
  if (NS_FAILED(rv)) {
      return;
  }
--- a/netwerk/protocol/http/HttpChannelParent.cpp
+++ b/netwerk/protocol/http/HttpChannelParent.cpp
@ -17,6 +17,7 @@
 #include "nsNetUtil.h"
 #include "nsISupportsPriority.h"
 #include "nsIAuthPromptProvider.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsSerializationHelper.h"
 #include "nsISerializable.h"
 #include "nsIAssociatedContentSecurity.h"
@ -33,10 +34,7 @@
 #include "mozilla/LoadInfo.h"
 #include "nsIHttpHeaderVisitor.h"
 #include "nsQueryObject.h"
-#include "mozilla/BasePrincipal.h"

-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using namespace mozilla::dom;
 using namespace mozilla::ipc;

@ -458,15 +456,17 @@ HttpChannelParent::DoAsyncOpen(  const URIParams&           aURI,
        mLoadContext->GetIsInBrowserElement(&inBrowser);
      }

-      // TODO: Bug 1165466 - use originAttribute in nsILoadContext.
-      OriginAttributes attrs(appId, inBrowser);
-      nsCOMPtr<nsIPrincipal> principal =
-        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-
      bool chooseAppCache = false;
-      // This works because we've already called SetNotificationCallbacks and
-      // done mPBOverride logic by this point.
-      chooseAppCache = NS_ShouldCheckAppCache(principal, NS_UsePrivateBrowsing(mChannel));
+      nsCOMPtr<nsIScriptSecurityManager> secMan =
+        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+      if (secMan) {
+        nsCOMPtr<nsIPrincipal> principal;
+        secMan->GetAppCodebasePrincipal(uri, appId, inBrowser, getter_AddRefs(principal));
+
+        // This works because we've already called SetNotificationCallbacks and
+        // done mPBOverride logic by this point.
+        chooseAppCache = NS_ShouldCheckAppCache(principal, NS_UsePrivateBrowsing(mChannel));
+      }

      appCacheChan->SetChooseApplicationCache(chooseAppCache);
    }
--- a/netwerk/test/unit/test_auth_dialog_permission.js
+++ b/netwerk/test/unit/test_auth_dialog_permission.js
@ -111,10 +111,11 @@ function make_uri(url) {
 }

 function makeChan(loadingUrl, url, contentPolicy) {
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  var uri = make_uri(loadingUrl);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var loadingUri = make_uri(loadingUrl);
+  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(loadingUri);
+
  var ios = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService);
  var chan = ios.newChannel2(url,
--- a/netwerk/test/unit/test_auth_jar.js
+++ b/netwerk/test/unit/test_auth_jar.js
@ -13,9 +13,9 @@ function run_test() {

  var secMan = Cc["@mozilla.org/scriptsecuritymanager;1"].getService(Ci.nsIScriptSecurityManager);
  const kURI1 = "http://example.com";
-  var app1 = secMan.createCodebasePrincipal(createURI(kURI1), {appId: 1});
-  var app10 = secMan.createCodebasePrincipal(createURI(kURI1),{appId: 10});
-  var app1browser = secMan.createCodebasePrincipal(createURI(kURI1), {appId: 1, inBrowser: true});
+  var app1 = secMan.getAppCodebasePrincipal(createURI(kURI1), 1, false);
+  var app10 = secMan.getAppCodebasePrincipal(createURI(kURI1), 10, false);
+  var app1browser = secMan.getAppCodebasePrincipal(createURI(kURI1), 1, true);

  var am = Cc["@mozilla.org/network/http-auth-manager;1"].
           getService(Ci.nsIHttpAuthManager);
--- a/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
@ -72,10 +72,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
@ -72,10 +72,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
@ -80,10 +80,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
@ -80,10 +80,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_request-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_request-error_canceled.js
@ -79,10 +79,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_request-error_passing.js
+++ b/netwerk/test/unit/test_fallback_request-error_passing.js
@ -79,10 +79,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_response-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_response-error_canceled.js
@ -79,10 +79,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_response-error_passing.js
+++ b/netwerk/test/unit/test_fallback_response-error_passing.js
@ -79,10 +79,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_offlinecache_custom-directory.js
+++ b/netwerk/test/unit/test_offlinecache_custom-directory.js
@ -103,10 +103,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:4444");
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_permmgr.js
+++ b/netwerk/test/unit/test_permmgr.js
@ -46,7 +46,7 @@ function run_test() {
  // put a few hosts in
  for (var i = 0; i < hosts.length; ++i) {
    let uri = ioService.newURI(hosts[i][0], null, null);
-    let principal = secMan.createCodebasePrincipal(uri, {});
+    let principal = secMan.getNoAppCodebasePrincipal(uri);

    pm.addFromPrincipal(principal, hosts[i][1], hosts[i][2]);
  }
@ -54,7 +54,7 @@ function run_test() {
  // test the result
  for (var i = 0; i < results.length; ++i) {
    let uri = ioService.newURI(results[i][0], null, null);
-    let principal = secMan.createCodebasePrincipal(uri, {});
+    let principal = secMan.getNoAppCodebasePrincipal(uri);

    do_check_eq(pm.testPermissionFromPrincipal(principal, results[i][1]), results[i][2]);
    do_check_eq(pm.testExactPermissionFromPrincipal(principal, results[i][1]), results[i][3]);
--- a/services/fxaccounts/tests/xpcshell/test_manager.js
+++ b/services/fxaccounts/tests/xpcshell/test_manager.js
@ -25,7 +25,7 @@ function makePrincipal(origin, appId) {
  let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
                 .getService(Ci.nsIScriptSecurityManager);
  let uri = Services.io.newURI(origin, null, null);
-  return secMan.createCodebasePrincipal(uri, {appId: appId});
+  return secMan.getAppCodebasePrincipal(uri, appId, false);
 }
 let principal = makePrincipal('app://settings.gaiamobile.org', 27, false);

--- a/services/mobileid/MobileIdentityManager.jsm
+++ b/services/mobileid/MobileIdentityManager.jsm
@ -897,7 +897,9 @@ this.MobileIdentityManager = {
  getMobileIdAssertion: function(aPrincipal, aPromiseId, aOptions) {
    log.debug("getMobileIdAssertion ${}", aPrincipal);

-    let principal = aPrincipal;
+    let uri = Services.io.newURI(aPrincipal.origin, null, null);
+    let principal = securityManager.getAppCodebasePrincipal(
+      uri, aPrincipal.appId, aPrincipal.isInBrowserElement);
    let manifestURL = appsService.getManifestURLByLocalId(aPrincipal.appId);

    let permission = permissionManager.testPermissionFromPrincipal(
--- a/services/mobileid/tests/xpcshell/head.js
+++ b/services/mobileid/tests/xpcshell/head.js
@ -125,10 +125,9 @@ function addPermission(aAction) {
  let uri = Cc["@mozilla.org/network/io-service;1"]
              .getService(Ci.nsIIOService)
              .newURI(ORIGIN, null, null);
-  let attrs = {appId: APP_ID};
  let _principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
                     .getService(Ci.nsIScriptSecurityManager)
-                     .createCodebasePrincipal(uri, attrs);
+                     .getAppCodebasePrincipal(uri, APP_ID, false);
  let pm = Cc["@mozilla.org/permissionmanager;1"]
             .getService(Ci.nsIPermissionManager);
  pm.addFromPrincipal(_principal, MOBILEID_PERM, aAction);
@ -138,10 +137,9 @@ function removePermission() {
  let uri = Cc["@mozilla.org/network/io-service;1"]
              .getService(Ci.nsIIOService)
              .newURI(ORIGIN, null, null);
-  let attrs = {appId: APP_ID};
  let _principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
                     .getService(Ci.nsIScriptSecurityManager)
-                     .createCodebasePrincipal(uri, attrs);
+                     .getAppCodebasePrincipal(uri, APP_ID, false);
  let pm = Cc["@mozilla.org/permissionmanager;1"]
             .getService(Ci.nsIPermissionManager);
  pm.removeFromPrincipal(_principal, MOBILEID_PERM);
--- a/services/sync/Weave.js
+++ b/services/sync/Weave.js
@ -188,8 +188,7 @@ AboutWeaveLog.prototype = {
    // view. That way links to files can be opened.
    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
                .getService(Ci.nsIScriptSecurityManager);
-    let principal = ssm.createCodebasePrincipal(uri, {});
-
+    let principal = ssm.getNoAppCodebasePrincipal(uri);
    channel.owner = principal;
    return channel;
  }
--- a/testing/marionette/driver/marionette_driver/marionette.py
+++ b/testing/marionette/driver/marionette_driver/marionette.py
@ -809,10 +809,9 @@ class Marionette(object):
                Components.utils.import("resource://gre/modules/Services.jsm");
                let perm = arguments[0];
                let secMan = Services.scriptSecurityManager;
-                let attrs = {appId: perm.appId, inBrowser: perm.isInBrowserElement};
-                let principal = secMan.createCodebasePrincipal(
+                let principal = secMan.getAppCodebasePrincipal(
                                Services.io.newURI(perm.url, null, null),
-                                attrs);
+                                perm.appId, perm.isInBrowserElement);
                let testPerm = Services.perms.testPermissionFromPrincipal(
                               principal, perm.type);
                return testPerm;
@ -871,9 +870,8 @@ class Marionette(object):
                Components.utils.import("resource://gre/modules/Services.jsm");
                let perm = arguments[0];
                let secMan = Services.scriptSecurityManager;
-                let attrs = {appId: perm.appId, inBrowser: perm.isInBrowserElement};
-                let principal = secMan.createCodebasePrincipal(Services.io.newURI(perm.url, null, null),
-                                                               attrs);
+                let principal = secMan.getAppCodebasePrincipal(Services.io.newURI(perm.url, null, null),
+                                perm.appId, perm.isInBrowserElement);
                Services.perms.addFromPrincipal(principal, perm.type, perm.action);
                return true;
                """, script_args=[perm])
--- a/testing/mochitest/tests/Harness_sanity/test_bug816847.html
+++ b/testing/mochitest/tests/Harness_sanity/test_bug816847.html
@ -34,14 +34,19 @@ const unknown = Ci.nsIPermissionManager.UNKNOWN_ACTION;
 const perms = ['network-events', 'geolocation', 'camera', 'alarms']

 function createPrincipal(aURI, aIsApp, aIsInBrowserElement) {
-  if (aIsApp) {
+  if(aIsApp) {
    var app = appsSvc.getAppByManifestURL(aURI);
-    return app.principal;
+    var localId = appsSvc.getAppLocalIdByManifestURL(aURI);
+    var uri = Services.io.newURI(app.origin, null, null);
+    return Services.scriptSecurityManager
+                   .getAppCodebasePrincipal(uri,
+                                            localId,
+                                            aIsInBrowserElement);
  }

  var uri = Services.io.newURI(aURI, null, null);
  return Services.scriptSecurityManager
-                 .createCodebasePrincipal(uri, {});
+                 .getNoAppCodebasePrincipal(uri);
 }

 // test addPermission and removePermission
--- a/testing/specialpowers/content/SpecialPowersObserverAPI.js
+++ b/testing/specialpowers/content/SpecialPowersObserverAPI.js
@ -314,9 +314,7 @@ SpecialPowersObserverAPI.prototype = {
        let msg = aMessage.json;

        let secMan = Services.scriptSecurityManager;
-        // TODO: Bug 1196665 - Add originAttributes into SpecialPowers
-        let attrs = {appId: msg.appId, inBrowser: msg.isInBrowserElement};
-        let principal = secMan.createCodebasePrincipal(this._getURI(msg.url), attrs);
+        let principal = secMan.getAppCodebasePrincipal(this._getURI(msg.url), msg.appId, msg.isInBrowserElement);

        switch (msg.op) {
          case "add":
--- a/toolkit/components/downloads/ApplicationReputation.cpp
+++ b/toolkit/components/downloads/ApplicationReputation.cpp
@ -15,6 +15,7 @@
 #include "nsIHttpChannel.h"
 #include "nsIIOService.h"
 #include "nsIPrefService.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsISimpleEnumerator.h"
 #include "nsIStreamListener.h"
 #include "nsIStringStream.h"
@ -27,7 +28,6 @@
 #include "nsIX509CertDB.h"
 #include "nsIX509CertList.h"

-#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
@ -50,8 +50,6 @@
 #include "nsILoadInfo.h"
 #include "nsContentUtils.h"

-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using mozilla::Preferences;
 using mozilla::TimeStamp;
 using mozilla::Telemetry::Accumulate;
@ -295,12 +293,13 @@ PendingDBLookup::LookupSpecInternal(const nsACString& aSpec)
  rv = ios->NewURI(aSpec, nullptr, nullptr, getter_AddRefs(uri));
  NS_ENSURE_SUCCESS(rv, rv);

-  OriginAttributes attrs;
-  nsCOMPtr<nsIPrincipal> principal =
-    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-  if (!principal) {
-    return NS_ERROR_FAILURE;
-  }
+  nsCOMPtr<nsIPrincipal> principal;
+  nsCOMPtr<nsIScriptSecurityManager> secMan =
+    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = secMan->GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
+  NS_ENSURE_SUCCESS(rv, rv);

  // Check local lists to see if the URI has already been whitelisted or
  // blacklisted.
--- a/toolkit/components/downloads/test/unit/test_app_rep.js
+++ b/toolkit/components/downloads/test/unit/test_app_rep.js
@ -317,11 +317,11 @@ add_test(function test_redirect_on_blocklist() {
  let secman = Services.scriptSecurityManager;
  let badRedirects = Cc["@mozilla.org/array;1"]
                       .createInstance(Ci.nsIMutableArray);
-  badRedirects.appendElement(secman.createCodebasePrincipal(exampleURI, {}),
+  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(exampleURI),
                             false);
-  badRedirects.appendElement(secman.createCodebasePrincipal(blocklistedURI, {}),
+  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(blocklistedURI),
                             false);
-  badRedirects.appendElement(secman.createCodebasePrincipal(whitelistedURI, {}),
+  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(whitelistedURI),
                             false);
  gAppRep.queryReputation({
    sourceURI: whitelistedURI,
--- a/toolkit/components/places/BookmarkJSONUtils.jsm
+++ b/toolkit/components/places/BookmarkJSONUtils.jsm
@ -209,7 +209,7 @@ BookmarkImporter.prototype = {
      let uri = NetUtil.newURI(spec);
      let channel = NetUtil.newChannel({
        uri,
-        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(uri, {}),
+        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri),
        contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
      });
      let streamLoader = Cc["@mozilla.org/network/stream-loader;1"]
--- a/toolkit/components/places/nsLivemarkService.js
+++ b/toolkit/components/places/nsLivemarkService.js
@ -528,7 +528,7 @@ Livemark.prototype = {
                      createInstance(Ci.nsILoadGroup);
      let channel = NetUtil.newChannel({
        uri: this.feedURI.spec,
-        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(this.feedURI, {}),
+        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(this.feedURI),
        contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
      }).QueryInterface(Ci.nsIHttpChannel);
      channel.loadGroup = loadgroup;
--- a/toolkit/components/social/SocialService.jsm
+++ b/toolkit/components/social/SocialService.jsm
@ -153,7 +153,7 @@ XPCOMUtils.defineLazyGetter(SocialServiceInternal, "providers", function () {
 function getOriginActivationType(origin) {
  // if this is an about uri, treat it as a directory
  let URI = Services.io.newURI(origin, null, null);
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
+  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
  if (Services.scriptSecurityManager.isSystemPrincipal(principal) || origin == "moz-safe-about:home") {
    return "internal";
  }
@ -513,7 +513,7 @@ this.SocialService = {
    }
    // force/fixup origin
    let URI = Services.io.newURI(installOrigin, null, null);
-    principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
+    principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
    data.origin = principal.origin;

    // iconURL and name are required
@ -714,7 +714,7 @@ function SocialProvider(input) {
  this.postActivationURL = input.postActivationURL;
  this.origin = input.origin;
  let originUri = Services.io.newURI(input.origin, null, null);
-  this.principal = Services.scriptSecurityManager.createCodebasePrincipal(originUri, {});
+  this.principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(originUri);
  this.ambientNotificationIcons = {};
  this.errorState = null;
  this.frecency = 0;
--- a/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
+++ b/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
@ -221,7 +221,7 @@ checkUrls: function(urls, expected, cb)
  var doLookup = function() {
    if (urls.length > 0) {
      var fragment = urls.shift();
-      var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null), {});
+      var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null));
      dbservice.lookup(principal, allTables,
                                function(arg) {
                                  do_check_eq(expected, arg);
--- a/toolkit/components/url-classifier/tests/unit/test_dbservice.js
+++ b/toolkit/components/url-classifier/tests/unit/test_dbservice.js
@ -97,7 +97,7 @@ function checkNoHost()
  // Looking up a no-host uri such as a data: uri should throw an exception.
  var exception;
  try {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null));
    dbservice.lookup(principal, allTables);

    exception = false;
@ -198,27 +198,26 @@ function checkState()
 {
  numExpecting = 0;

-
  for (var key in phishExpected) {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
    dbservice.lookup(principal, allTables, phishExists, true);
    numExpecting++;
  }

  for (var key in phishUnexpected) {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
    dbservice.lookup(principal, allTables, phishDoesntExist, true);
    numExpecting++;
  }

  for (var key in malwareExpected) {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
    dbservice.lookup(principal, allTables, malwareExists, true);
    numExpecting++;
  }

  for (var key in unwantedExpected) {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
    dbservice.lookup(principal, allTables, unwantedExists, true);
    numExpecting++;
  }
--- a/toolkit/components/url-classifier/tests/unit/test_digest256.js
+++ b/toolkit/components/url-classifier/tests/unit/test_digest256.js
@ -124,7 +124,7 @@ add_test(function test_update() {

 add_test(function test_url_not_whitelisted() {
  let uri = createURI("http://example.com");
-  let principal = gSecMan.createCodebasePrincipal(uri, {});
+  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
  gDbService.lookup(principal, "goog-downloadwhite-digest256",
    function handleEvent(aEvent) {
      // This URI is not on any lists.
@ -137,7 +137,7 @@ add_test(function test_url_whitelisted() {
  // Hash of "whitelisted.com/" (canonicalized URL) is:
  // 93CA5F48E15E9861CD37C2D95DB43D23CC6E6DE5C3F8FA6E8BE66F97CC518907
  let uri = createURI("http://whitelisted.com");
-  let principal = gSecMan.createCodebasePrincipal(uri, {});
+  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
  gDbService.lookup(principal, "goog-downloadwhite-digest256",
    function handleEvent(aEvent) {
      do_check_eq("goog-downloadwhite-digest256", aEvent);
--- a/toolkit/devtools/server/actors/storage.js
+++ b/toolkit/devtools/server/actors/storage.js
@ -1324,7 +1324,7 @@ let indexedDBHelpers = {
      principal = Services.scriptSecurityManager.getSystemPrincipal();
    } else {
      let uri = Services.io.newURI(host, null, null);
-      principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+      principal = Services.scriptSecurityManager.getCodebasePrincipal(uri);
    }

    return require("indexedDB").openForPrincipal(principal, name);
--- a/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
+++ b/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
@ -185,9 +185,9 @@ function add_permission(aURI)
  check_permission_exists(aURI, false);
  let pm = Cc["@mozilla.org/permissionmanager;1"].
           getService(Ci.nsIPermissionManager);
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(aURI, {});
+  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(aURI);

  pm.addFromPrincipal(principal, PERMISSION_TYPE, PERMISSION_VALUE);
  check_permission_exists(aURI, true);
@ -205,9 +205,9 @@ function check_permission_exists(aURI, aExists)
 {
  let pm = Cc["@mozilla.org/permissionmanager;1"].
           getService(Ci.nsIPermissionManager);
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(aURI, {});
+  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(aURI);

  let perm = pm.testExactPermissionFromPrincipal(principal, PERMISSION_TYPE);
  let checker = aExists ? do_check_eq : do_check_neq;
@ -554,10 +554,9 @@ function test_storage_cleared()
 {
  function getStorageForURI(aURI)
  {
-    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-    let principal = ssm.createCodebasePrincipal(aURI, {});
-
+    let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
+                    getService(Ci.nsIScriptSecurityManager).
+                    getNoAppCodebasePrincipal(aURI);
    let dsm = Cc["@mozilla.org/dom/localStorage-manager;1"].
              getService(Ci.nsIDOMStorageManager);
    return dsm.createStorage(null, principal, "");
--- a/toolkit/modules/NewTabUtils.jsm
+++ b/toolkit/modules/NewTabUtils.jsm
@ -25,7 +25,7 @@ XPCOMUtils.defineLazyModuleGetter(this, "BinarySearch",

 XPCOMUtils.defineLazyGetter(this, "gPrincipal", function () {
  let uri = Services.io.newURI("about:newtab", null, null);
-  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
 });

 XPCOMUtils.defineLazyGetter(this, "gCryptoHash", function () {
--- a/toolkit/modules/PermissionsUtils.jsm
+++ b/toolkit/modules/PermissionsUtils.jsm
@ -39,8 +39,8 @@ function importPrefBranch(aPrefBranch, aPermission, aAction) {
          let httpsURI = Services.io.newURI("https://" + origin, null, null);

          principals = [
-            Services.scriptSecurityManager.createCodebasePrincipal(httpURI, {}),
-            Services.scriptSecurityManager.createCodebasePrincipal(httpsURI, {})
+            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpURI),
+            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpsURI)
          ];
        } catch (e2) {}
      }
--- a/toolkit/webapps/NativeApp.jsm
+++ b/toolkit/webapps/NativeApp.jsm
@ -457,9 +457,10 @@ function downloadIcon(aIconURI) {
    // installing the app, hence app.origin is not available yet and
    // therefore we can not call getAppCodebasePrincipal.
    let principal =
-      aIconURI.schemeIs("chrome") ?
-        Services.scriptSecurityManager.getSystemPrincipal() :
-        Services.scriptSecurityManager.createCodebasePrincipal(aIconURI, {});
+      aIconURI.schemeIs("chrome") ? Services.scriptSecurityManager
+                                            .getSystemPrincipal()
+                                  : Services.scriptSecurityManager
+                                            .getNoAppCodebasePrincipal(aIconURI);

    let channel = NetUtil.newChannel({
      uri: aIconURI,
--- a/uriloader/prefetch/OfflineCacheUpdateParent.cpp
+++ b/uriloader/prefetch/OfflineCacheUpdateParent.cpp
@ -5,7 +5,6 @@

 #include "OfflineCacheUpdateParent.h"

-#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/TabParent.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/unused.h"
@ -13,10 +12,9 @@
 #include "nsIApplicationCache.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsNetUtil.h"
+#include "nsContentUtils.h"

 using namespace mozilla::ipc;
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using mozilla::dom::TabParent;

 //
@ -93,10 +91,10 @@ OfflineCacheUpdateParent::Schedule(const URIParams& aManifestURI,

    bool offlinePermissionAllowed = false;

-    // TODO: Bug 1165466 - use OriginAttributes
-    OriginAttributes attrs(mAppId, mIsInBrowserElement);
-    nsCOMPtr<nsIPrincipal> principal =
-      BasePrincipal::CreateCodebasePrincipal(manifestURI, attrs);
+    nsCOMPtr<nsIPrincipal> principal;
+    nsContentUtils::GetSecurityManager()->
+        GetAppCodebasePrincipal(manifestURI, mAppId, mIsInBrowserElement,
+                                getter_AddRefs(principal));

    nsresult rv = service->OfflineAppAllowed(
        principal, nullptr, &offlinePermissionAllowed);
--- a/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
+++ b/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
@ -29,6 +29,7 @@
 #include "nsICryptoHash.h"
 #include "nsIPermissionManager.h"
 #include "nsIPrincipal.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsNetCID.h"
 #include "nsServiceManagerUtils.h"
 #include "nsStreamUtils.h"
@ -717,9 +718,9 @@ nsOfflineCacheUpdateService::OfflineAppAllowedForURI(nsIURI *aURI,
                                                     nsIPrefBranch *aPrefBranch,
                                                     bool *aAllowed)
 {
-    OriginAttributes attrs;
-    nsCOMPtr<nsIPrincipal> principal =
-        BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+    nsCOMPtr<nsIPrincipal> principal;
+    nsContentUtils::GetSecurityManager()->
+        GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
    return OfflineAppPermForPrincipal(principal, aPrefBranch, false, aAllowed);
 }

@ -728,9 +729,9 @@ nsOfflineCacheUpdateService::OfflineAppPinnedForURI(nsIURI *aDocumentURI,
                                                    nsIPrefBranch *aPrefBranch,
                                                    bool *aPinned)
 {
-    OriginAttributes attrs;
-    nsCOMPtr<nsIPrincipal> principal =
-        BasePrincipal::CreateCodebasePrincipal(aDocumentURI, attrs);
+    nsCOMPtr<nsIPrincipal> principal;
+    nsContentUtils::GetSecurityManager()->
+        GetNoAppCodebasePrincipal(aDocumentURI, getter_AddRefs(principal));
    return OfflineAppPermForPrincipal(principal, aPrefBranch, true, aPinned);
 }