Bug 1165272 - Part 2: replace getNoAppCodebasePrincipal. r=bholley

2024-09-13 09:24:08 -07:00 · 2015-08-18 15:01:42 +08:00 · 2015-08-18 15:01:42 +08:00 · fd98ffd5d7
commit fd98ffd5d7
parent 98f6ea7f6c
67 changed files with 230 additions and 218 deletions
--- a/browser/base/content/aboutSocialError.xhtml
+++ b/browser/base/content/aboutSocialError.xhtml
@ -55,7 +55,8 @@
      // the error message.
      if (!config.origin) {
        let URI = Services.io.newURI(url, null, null);
-        config.origin = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI).origin;
+        config.origin =
+          Services.scriptSecurityManager.createCodebasePrincipal(URI, {}).origin;
      }

      switch (mode) {
--- a/browser/base/content/test/general/browser_offlineQuotaNotification.js
+++ b/browser/base/content/test/general/browser_offlineQuotaNotification.js
@ -11,7 +11,7 @@ const URL = "http://mochi.test:8888/browser/browser/base/content/test/general/of
 registerCleanupFunction(function() {
  // Clean up after ourself
  let uri = Services.io.newURI(URL, null, null);
-  var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
  Services.perms.removeFromPrincipal(principal, "offline-app");
  Services.prefs.clearUserPref("offline-apps.quota.warn");
  Services.prefs.clearUserPref("offline-apps.allow_by_default");
--- a/browser/base/content/test/general/browser_sanitizeDialog.js
+++ b/browser/base/content/test/general/browser_sanitizeDialog.js
@ -564,7 +564,7 @@ var gAllTests = [

    var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
             .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.getNoAppCodebasePrincipal(URI);
+    var principal = sm.createCodebasePrincipal(URI, {});

    // Give www.example.com privileges to store offline data
    var pm = Cc["@mozilla.org/permissionmanager;1"]
@ -634,7 +634,7 @@ var gAllTests = [

    var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
             .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.getNoAppCodebasePrincipal(URI);
+    var principal = sm.createCodebasePrincipal(URI, {});

    // Open the dialog
    let wh = new WindowHelper();
--- a/browser/base/content/test/general/test_offlineNotification.html
+++ b/browser/base/content/test/general/test_offlineNotification.html
@ -43,12 +43,10 @@ window.addEventListener("message", function(event) {
      var uri1 = ioService.newURI(frames.testFrame.location, null, null);
      var uri2 = ioService.newURI(frames.testFrame3.location, null, null);

-      var principal1 = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(uri1);
-      var principal2 = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(uri2);
+      var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                  .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
+      var principal1 = ssm.createCodebasePrincipal(uri1, {});
+      var principal2 = ssm.createCodebasePrincipal(uri2, {});

      pm.removeFromPrincipal(principal1, "offline-app");
      pm.removeFromPrincipal(principal2, "offline-app");
--- a/browser/base/content/test/general/test_offline_gzip.html
+++ b/browser/base/content/test/general/test_offline_gzip.html
@ -39,9 +39,9 @@ function finishTest() {

  var uri = Cc["@mozilla.org/network/io-service;1"].getService(SpecialPowers.Ci.nsIIOService)
              .newURI(window.frames[0].location, null, null);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                   .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                   .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  pm.removeFromPrincipal(principal, "offline-app");

--- a/browser/base/content/test/newtab/head.js
+++ b/browser/base/content/test/newtab/head.js
@ -18,7 +18,7 @@ Cu.import("resource://gre/modules/Timer.jsm", tmp);
 let {Promise, NewTabUtils, Sanitizer, clearTimeout, setTimeout, DirectoryLinksProvider, PlacesTestUtils} = tmp;

 let uri = Services.io.newURI("about:newtab", null, null);
-let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});

 let isMac = ("nsILocalFileMac" in Ci);
 let isLinux = ("@mozilla.org/gnome-gconf-service;1" in Cc);
--- a/browser/components/feeds/FeedConverter.js
+++ b/browser/components/feeds/FeedConverter.js
@ -254,7 +254,7 @@ FeedConverter.prototype = {
        chromeChannel = ios.newChannelFromURIWithLoadInfo(aboutFeedsURI, loadInfo);
        chromeChannel.originalURI = result.uri;
        chromeChannel.owner =
-          Services.scriptSecurityManager.getNoAppCodebasePrincipal(aboutFeedsURI);
+          Services.scriptSecurityManager.createCodebasePrincipal(aboutFeedsURI, {});
      } else {
        chromeChannel = ios.newChannelFromURIWithLoadInfo(result.uri, loadInfo);
      }
--- a/browser/components/preferences/aboutPermissions.js
+++ b/browser/components/preferences/aboutPermissions.js
@ -505,7 +505,7 @@ let AboutPermissions = {
        while (row = aResults.getNextRow()) {
          let spec = row.getResultByName("url");
          let uri = NetUtil.newURI(spec);
-          let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+          let principal = gSecMan.createCodebasePrincipal(uri, {});

          AboutPermissions.addPrincipal(principal);
        }
@ -556,7 +556,7 @@ let AboutPermissions = {
      try {
        // aLogin.hostname is a string in origin URL format (e.g. "http://foo.com")
        let uri = NetUtil.newURI(aLogin.hostname);
-        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+        let principal = gSecMan.createCodebasePrincipal(uri, {});
        this.addPrincipal(principal);
      } catch (e) {
        // newURI will throw for add-ons logins stored in chrome:// URIs
@ -572,7 +572,7 @@ let AboutPermissions = {
      try {
        // aHostname is a string in origin URL format (e.g. "http://foo.com")
        let uri = NetUtil.newURI(aHostname);
-        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+        let principal = gSecMan.createCodebasePrincipal(uri, {});
        this.addPrincipal(principal);
      } catch (e) {
        // newURI will throw for add-ons logins stored in chrome:// URIs
--- a/browser/components/preferences/permissions.js
+++ b/browser/components/preferences/permissions.js
@ -95,12 +95,12 @@ var gPermissionManager = {
      let uri;
      try {
        uri = Services.io.newURI(input_url, null, null);
-        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
        // If we have ended up with an unknown scheme, the following will throw.
        principal.origin;
      } catch(ex) {
        uri = Services.io.newURI("http://" + input_url, null, null);
-        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
        // If we have ended up with an unknown scheme, the following will throw.
        principal.origin;
      }
--- a/browser/components/preferences/tests/browser_permissions.js
+++ b/browser/components/preferences/tests/browser_permissions.js
@ -8,8 +8,10 @@ const ABOUT_PERMISSIONS_SPEC = "about:permissions";
 const TEST_URI_1 = NetUtil.newURI("http://mozilla.com/");
 const TEST_URI_2 = NetUtil.newURI("http://mozilla.org/");

-const TEST_PRINCIPAL_1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_1);
-const TEST_PRINCIPAL_2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_2);
+const TEST_PRINCIPAL_1 =
+  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_1, {});
+const TEST_PRINCIPAL_2 =
+  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_2, {});

 // values from DefaultPermissions object
 const PERM_UNKNOWN = 0;
--- a/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
+++ b/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
@ -15,9 +15,9 @@ const TEST_URI_XUL = TEST_URL_ROOT + "doc_content_stylesheet.xul";
 const XUL_URI = Cc["@mozilla.org/network/io-service;1"]
                .getService(Ci.nsIIOService)
                .newURI(TEST_URI_XUL, null, null);
-const XUL_PRINCIPAL = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(XUL_URI);
+let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                            .getService(Ci.nsIScriptSecurityManager);
+const XUL_PRINCIPAL = ssm.createCodebasePrincipal(XUL_URI, {});

 add_task(function*() {
  info("Checking stylesheets on HTML document");
--- a/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
+++ b/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
@ -995,14 +995,21 @@ PdfStreamConverter.prototype = {

    // We can use resource principal when data is fetched by the chrome
    // e.g. useful for NoScript
-    var securityManager = Cc['@mozilla.org/scriptsecuritymanager;1']
-                          .getService(Ci.nsIScriptSecurityManager);
+    var ssm = Cc['@mozilla.org/scriptsecuritymanager;1']
+                .getService(Ci.nsIScriptSecurityManager);
    var uri = NetUtil.newURI(PDF_VIEWER_WEB_PAGE, null, null);
    // FF16 and below had getCodebasePrincipal, it was replaced by
    // getNoAppCodebasePrincipal (bug 758258).
-    var resourcePrincipal = 'getNoAppCodebasePrincipal' in securityManager ?
-                            securityManager.getNoAppCodebasePrincipal(uri) :
-                            securityManager.getCodebasePrincipal(uri);
+    // FF 43 added createCodebasePrincipal to replace getNoAppCodebasePrincipal
+    // (bug 1165272).
+    var resourcePrincipal
+    if ('createCodebasePrincipal' in ssm) {
+      resourcePrincipal = ssm.createCodebasePrincipal(uri, {});
+    } else if ('getNoAppCodebasePrincipal' in ssm) {
+      resourcePrincipal = ssm.getNoAppCodebasePrincipal(uri)
+    } else {
+      resourcePrincipal = ssm.getCodebasePrincipal(uri);
+    }
    aRequest.owner = resourcePrincipal;
    channel.asyncOpen(proxy, aContext);
  },
--- a/browser/extensions/shumway/chrome/SpecialStorage.jsm
+++ b/browser/extensions/shumway/chrome/SpecialStorage.jsm
@ -22,9 +22,9 @@ var SpecialStorageUtils = {
  createWrappedSpecialStorage: function (sandbox, swfUrl, privateBrowsing) {
    // Creating internal localStorage object based on url and privateBrowsing setting.
    var uri = Services.io.newURI(swfUrl, null, null);
-    var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                              .getService(Components.interfaces.nsIScriptSecurityManager)
-                              .getNoAppCodebasePrincipal(uri);
+    var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                                .getService(Components.interfaces.nsIScriptSecurityManager);
+    var principal = ssm.createCodebasePrincipal(uri, {});
    var dsm = Components.classes["@mozilla.org/dom/localStorage-manager;1"]
                                .getService(Components.interfaces.nsIDOMStorageManager);
    var storage = dsm.createStorage(null, principal, privateBrowsing);
--- a/browser/modules/Feeds.jsm
+++ b/browser/modules/Feeds.jsm
@ -66,7 +66,8 @@ this.Feeds = {
    if (aIsFeed) {
      // re-create the principal as it may be a CPOW.
      let principalURI = BrowserUtils.makeURIFromCPOW(aPrincipal.URI);
-      let principalToCheck = Services.scriptSecurityManager.getNoAppCodebasePrincipal(principalURI);
+      let principalToCheck =
+        Services.scriptSecurityManager.createCodebasePrincipal(principalURI, {});
      try {
        BrowserUtils.urlSecurityCheck(aLink.href, principalToCheck,
                                      Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
--- a/caps/nsIScriptSecurityManager.idl
+++ b/caps/nsIScriptSecurityManager.idl
@ -26,7 +26,7 @@ class DomainPolicyClone;
 [ptr] native JSObjectPtr(JSObject);
 [ptr] native DomainPolicyClonePtr(mozilla::dom::DomainPolicyClone);

-[scriptable, uuid(73f92674-f59d-4c9b-a9b5-f7a3ae8ffa98)]
+[scriptable, uuid(6e8a4d1e-d9c6-4d86-bf53-d73f58f36148)]
 interface nsIScriptSecurityManager : nsISupports
 {
    /**
@ -177,8 +177,10 @@ interface nsIScriptSecurityManager : nsISupports
     * Returns a principal with that has the same origin as uri and is not part
     * of an appliction.
     * The returned principal will have appId = NO_APP_ID.
+     *
+     * @deprecated use createCodebasePrincipal instead.
     */
-    nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
+    [deprecated] nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);

    /**
     * Legacy method for getting a principal with no origin attributes.
--- a/dom/cache/test/mochitest/test_chrome_constructor.html
+++ b/dom/cache/test/mochitest/test_chrome_constructor.html
@ -20,7 +20,7 @@
    // attach to a different origin's CacheStorage
    var url = 'http://example.com/';
    var uri = Services.io.newURI(url, null, null);
-    var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+    var principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
    var storage = new CacheStorage('content', principal);

    // verify we can use the other origin's CacheStorage as normal
--- a/dom/indexedDB/test/head.js
+++ b/dom/indexedDB/test/head.js
@ -116,9 +116,9 @@ function setPermission(url, permission)
  let uri = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService)
                      .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});

  Components.classes["@mozilla.org/permissionmanager;1"]
            .getService(nsIPermissionManager)
@ -131,9 +131,9 @@ function removePermission(url, permission)
  let uri = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService)
                      .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});

  Components.classes["@mozilla.org/permissionmanager;1"]
            .getService(Components.interfaces.nsIPermissionManager)
@ -145,9 +145,9 @@ function getPermission(url, permission)
  let uri = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService)
                      .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});

  return Components.classes["@mozilla.org/permissionmanager;1"]
                   .getService(Components.interfaces.nsIPermissionManager)
--- a/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
+++ b/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
@ -90,14 +90,10 @@ function testSteps()
    let request;
    if ("url" in params) {
      let uri = ios.newURI(params.url, null, null);
-      let principal;
-      if ("appId" in params) {
-        principal =
-          ssm.createCodebasePrincipal(uri, {appId: params.appId,
-                                            inBrowser: params.inMozBrowser});
-      } else {
-        principal = ssm.getNoAppCodebasePrincipal(uri);
-      }
+      let principal =
+        ssm.createCodebasePrincipal(uri,
+                                    {appId: params.appId || ssm.NO_APPID,
+                                     inBrowser: params.inMozBrowser});
      if ("dbVersion" in params) {
        request = indexedDB.openForPrincipal(principal, params.dbName,
                                             params.dbVersion);
--- a/dom/indexedDB/test/unit/test_idle_maintenance.js
+++ b/dom/indexedDB/test/unit/test_idle_maintenance.js
@ -10,9 +10,9 @@ function testSteps()
  let uri = Cc["@mozilla.org/network/io-service;1"].
            getService(Ci.nsIIOService).
            newURI("https://www.example.com", null, null);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
-                  getService(Ci.nsIScriptSecurityManager).
-                  getNoAppCodebasePrincipal(uri);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});

  info("Setting permissions");

--- a/dom/indexedDB/test/unit/test_metadataRestore.js
+++ b/dom/indexedDB/test/unit/test_metadataRestore.js
@ -67,7 +67,7 @@ function testSteps()
    let request;
    if ("url" in params) {
      let uri = ios.newURI(params.url, null, null);
-      let principal = ssm.getNoAppCodebasePrincipal(uri);
+      let principal = ssm.createCodebasePrincipal(uri, {});
      request = indexedDB.openForPrincipal(principal, params.dbName,
                                           params.dbOptions);
    } else {
--- a/dom/indexedDB/test/unit/test_open_for_principal.js
+++ b/dom/indexedDB/test/unit/test_open_for_principal.js
@ -48,9 +48,9 @@ function testSteps()
  let uri = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService)
                      .newURI("http://appdata.example.com", null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                     .getService(Components.interfaces.nsIScriptSecurityManager)
-                     .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Components.interfaces.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});

  request = indexedDB.openForPrincipal(principal, name, 1);
  request.onerror = errorHandler;
--- a/dom/indexedDB/test/unit/test_temporary_storage.js
+++ b/dom/indexedDB/test/unit/test_temporary_storage.js
@ -34,9 +34,9 @@ function testSteps()
    let uri = Cc["@mozilla.org/network/io-service;1"]
                .getService(Ci.nsIIOService)
                .newURI(url, null, null);
-    return Cc["@mozilla.org/scriptsecuritymanager;1"]
-             .getService(Ci.nsIScriptSecurityManager)
-             .getNoAppCodebasePrincipal(uri);
+    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                .getService(Ci.nsIScriptSecurityManager);
+    return ssm.createCodebasePrincipal(uri, {});
  }

  for (let temporary of [true, false]) {
--- a/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
+++ b/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
@ -27,9 +27,9 @@ function make_uri(url) {
 // Ensure "fullscreen" permissions are not present on the test URI.
 var pm = Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
 var uri = make_uri("http://mochi.test:8888");
-var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                  .getService(Ci.nsIScriptSecurityManager)
-                  .getNoAppCodebasePrincipal(uri);
+var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                            .getService(Ci.nsIScriptSecurityManager);
+var principal = ssm.createCodebasePrincipal(uri, {});
 pm.removeFromPrincipal(principal, "fullscreen");

 SpecialPowers.pushPrefEnv({"set": [
--- a/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
+++ b/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
@ -18,11 +18,11 @@ function startTest()
    .getService(Components.interfaces.nsIDOMStorageManager);

  var uri = ios.newURI(url, "", null);
-  var principal = ssm.getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
  var storage = dsm.createStorage(window, principal, "");
-  
+
  storage.setItem("chromekey", "chromevalue");
-  
+
  var aframe = document.getElementById("aframe");
  aframe.onload = function()
  {
--- a/extensions/cookie/nsPermission.cpp
+++ b/extensions/cookie/nsPermission.cpp
@ -7,7 +7,6 @@
 #include "nsContentUtils.h"
 #include "nsIClassInfoImpl.h"
 #include "nsIEffectiveTLDService.h"
-#include "nsIScriptSecurityManager.h"
 #include "mozilla/BasePrincipal.h"

 // nsPermission Implementation
@ -168,12 +167,9 @@ nsPermission::MatchesURI(nsIURI* aURI, bool aExactHost, bool* aMatches)
 {
  NS_ENSURE_ARG_POINTER(aURI);

-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
-
-  nsCOMPtr<nsIPrincipal> principal;
-  nsresult rv = secMan->GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
-  NS_ENSURE_SUCCESS(rv, rv);
+  mozilla::OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);

  return Matches(principal, aExactHost, aMatches);
 }
--- a/extensions/cookie/nsPermissionManager.cpp
+++ b/extensions/cookie/nsPermissionManager.cpp
@ -138,10 +138,12 @@ GetPrincipal(nsIURI* aURI, uint32_t aAppId, bool aIsInBrowserElement, nsIPrincip
 nsresult
 GetPrincipal(nsIURI* aURI, nsIPrincipal** aPrincipal)
 {
-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
+  mozilla::OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);

-  return secMan->GetNoAppCodebasePrincipal(aURI, aPrincipal);
+  principal.forget(aPrincipal);
+  return NS_OK;
 }

 nsCString
--- a/extensions/cookie/test/unit/test_permmanager_defaults.js
+++ b/extensions/cookie/test/unit/test_permmanager_defaults.js
@ -51,10 +51,11 @@ add_task(function* do_test() {
           getService(Ci.nsIPermissionManager);

  // test the default permission was applied.
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN);
-  let principalHttps = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_HTTPS);
-  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_2);
-  let principal3 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_3);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, {});
+  let principalHttps = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_HTTPS, {});
+  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_2, {});
+  let principal3 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, {});
+
  let attrs = {appId: 1000, inBrowser: true};
  let principal4 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, attrs);
  let principal5 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, attrs);
@ -223,7 +224,7 @@ function checkCapabilityViaDB(expected, origin = TEST_ORIGIN, type = TEST_PERMIS
 // value (ie, the "capability" in nsIPermission parlance) or null if it can't
 // be found.
 function findCapabilityViaDB(origin = TEST_ORIGIN, type = TEST_PERMISSION) {
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(origin);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(origin, {});
  let originStr = principal.origin;

  let file = Services.dirsvc.get("ProfD", Ci.nsIFile);
--- a/extensions/cookie/test/unit/test_permmanager_expiration.js
+++ b/extensions/cookie/test/unit/test_permmanager_expiration.js
@ -21,7 +21,7 @@ function do_run_test() {

  let pm = Services.perms;
  let permURI = NetUtil.newURI("http://example.com");
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(permURI, {});

  let now = Number(Date.now());

--- a/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
+++ b/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
@ -1,10 +1,11 @@
 /* Any copyright is dedicated to the Public Domain.
   http://creativecommons.org/publicdomain/zero/1.0/ */

-function getPrincipalFromURI(uri) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
+function getPrincipalFromURI(aURI) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI(aURI);
+  return ssm.createCodebasePrincipal(uri, {});
 }

 function getSystemPrincipal() {
--- a/extensions/cookie/test/unit/test_permmanager_idn.js
+++ b/extensions/cookie/test/unit/test_permmanager_idn.js
@ -2,9 +2,10 @@
   http://creativecommons.org/publicdomain/zero/1.0/ */

 function getPrincipalFromDomain(aDomain) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI("http://" + aDomain));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://" + aDomain);
+  return ssm.createCodebasePrincipal(uri, {});
 }

 function run_test() {
@ -45,4 +46,4 @@ function run_test() {
  do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
  witnessPrincipal = getPrincipalFromDomain("foo.bar.com");
  do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
-}
+}
--- a/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
+++ b/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
@ -134,8 +134,9 @@ function run_test() {
  do_check_true(numMigrated > 0, "we found at least 1 record that was migrated");

  // This permission should always be there.
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.org"));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://example.org");
+  let principal = ssm.createCodebasePrincipal(uri, {});
  do_check_eq(pm.testPermissionFromPrincipal(principal, 'test-load-invalid-entries'), Ci.nsIPermissionManager.ALLOW_ACTION);
 }
--- a/extensions/cookie/test/unit/test_permmanager_local_files.js
+++ b/extensions/cookie/test/unit/test_permmanager_local_files.js
@ -5,7 +5,8 @@

 function getPrincipalFromURIString(uriStr)
 {
-  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(NetUtil.newURI(uriStr));
+  let uri = NetUtil.newURI(uriStr);
+  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
 }

 function run_test() {
--- a/extensions/cookie/test/unit/test_permmanager_matches.js
+++ b/extensions/cookie/test/unit/test_permmanager_matches.js
@ -38,12 +38,12 @@ function run_test() {
  let uri4 = NetUtil.newURI("https://hangouts.google.com/#!/hangout", null, null);
  let uri5 = NetUtil.newURI("http://google.com:8096/", null, null);

-  let uri0_n_n = secMan.getNoAppCodebasePrincipal(uri0);
-  let uri1_n_n = secMan.getNoAppCodebasePrincipal(uri1);
-  let uri2_n_n = secMan.getNoAppCodebasePrincipal(uri2);
-  let uri3_n_n = secMan.getNoAppCodebasePrincipal(uri3);
-  let uri4_n_n = secMan.getNoAppCodebasePrincipal(uri4);
-  let uri5_n_n = secMan.getNoAppCodebasePrincipal(uri5);
+  let uri0_n_n = secMan.createCodebasePrincipal(uri0, {});
+  let uri1_n_n = secMan.createCodebasePrincipal(uri1, {});
+  let uri2_n_n = secMan.createCodebasePrincipal(uri2, {});
+  let uri3_n_n = secMan.createCodebasePrincipal(uri3, {});
+  let uri4_n_n = secMan.createCodebasePrincipal(uri4, {});
+  let uri5_n_n = secMan.createCodebasePrincipal(uri5, {});

  let attrs = {appId: 1000};
  let uri0_1000_n = secMan.createCodebasePrincipal(uri0, attrs);
--- a/extensions/cookie/test/unit/test_permmanager_matchesuri.js
+++ b/extensions/cookie/test/unit/test_permmanager_matchesuri.js
@ -31,9 +31,8 @@ function mk_permission(uri, isAppPermission = false) {

  // Get the permission from the principal!
  let attrs = {appId: 1000};
-  let principal = isAppPermission ?
-        secMan.createCodebasePrincipal(uri, attrs) :
-        secMan.getNoAppCodebasePrincipal(uri);
+  let principal =
+    secMan.createCodebasePrincipal(uri, isAppPermission ? attrs : {});

  pm.addFromPrincipal(principal, "test/matchesuri", pm.ALLOW_ACTION);
  let permission = pm.getPermissionObject(principal, "test/matchesuri", true);
--- a/extensions/cookie/test/unit/test_permmanager_notifications.js
+++ b/extensions/cookie/test/unit/test_permmanager_notifications.js
@ -23,9 +23,10 @@ function do_run_test() {
  let pm = Services.perms;
  let now = Number(Date.now());
  let permType = "test/expiration-perm";
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.com"));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://example.com");
+  let principal = ssm.createCodebasePrincipal(uri, {});

  let observer = new permission_observer(test_generator, now, permType);
  Services.obs.addObserver(observer, "perm-changed", false);
--- a/extensions/cookie/test/unit/test_permmanager_removesince.js
+++ b/extensions/cookie/test/unit/test_permmanager_removesince.js
@ -24,10 +24,10 @@ function do_run_test() {
  // to help with testing edge-cases, we will arrange for .removeAllSince to
  // remove *all* permissions from one principal and one permission from another.
  let permURI1 = NetUtil.newURI("http://example.com");
-  let principal1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI1);
+  let principal1 = Services.scriptSecurityManager.createCodebasePrincipal(permURI1, {});

  let permURI2 = NetUtil.newURI("http://example.org");
-  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI2);
+  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(permURI2, {});

  // add a permission now - this isn't going to be removed.
  pm.addFromPrincipal(principal1, "test/remove-since", 1);
--- a/extensions/cookie/test/unit/test_permmanager_subdomains.js
+++ b/extensions/cookie/test/unit/test_permmanager_subdomains.js
@ -1,10 +1,11 @@
 /* Any copyright is dedicated to the Public Domain.
   http://creativecommons.org/publicdomain/zero/1.0/ */

-function getPrincipalFromURI(uri) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
+function getPrincipalFromURI(aURI) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI(aURI);
+  return ssm.createCodebasePrincipal(uri, {});
 }

 function run_test() {
@ -53,4 +54,4 @@ function run_test() {
  do_check_eq(pm.testPermissionFromPrincipal(sub1Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
  do_check_eq(pm.testPermissionFromPrincipal(sub2Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
  do_check_eq(pm.testPermissionFromPrincipal(subsubPrincipal, "test/subdomains"), pm.UNKNOWN_ACTION);
-}
+}
--- a/extensions/cookie/test/unit_ipc/test_child.js
+++ b/extensions/cookie/test/unit_ipc/test_child.js
@ -12,9 +12,9 @@ function isParentProcess() {

 function getPrincipalForURI(aURI) {
  var uri =  gIoService.newURI(aURI, null, null);
-  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                   .getService(Ci.nsIScriptSecurityManager)
-                   .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  return ssm.createCodebasePrincipal(uri, {});
 }

 function run_test() {
--- a/extensions/cookie/test/unit_ipc/test_parent.js
+++ b/extensions/cookie/test/unit_ipc/test_parent.js
@ -12,9 +12,9 @@ function isParentProcess() {

 function getPrincipalForURI(aURI) {
  var uri = gIoService.newURI(aURI, null, null);
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  return ssm.createCodebasePrincipal(uri, {});
 }

 function run_test() {
--- a/gfx/thebes/gfxSVGGlyphs.cpp
+++ b/gfx/thebes/gfxSVGGlyphs.cpp
@ -19,10 +19,10 @@
 #include "nsStringStream.h"
 #include "nsStreamUtils.h"
 #include "nsIPrincipal.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/LoadInfo.h"
 #include "nsSVGUtils.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsHostObjectProtocolHandler.h"
 #include "nsContentUtils.h"
 #include "gfxFont.h"
@ -348,9 +348,10 @@ gfxSVGGlyphsDocument::ParseDocument(const uint8_t *aBuffer, uint32_t aBufLen)
    rv = NS_NewURI(getter_AddRefs(uri), mSVGGlyphsDocumentURI);
    NS_ENSURE_SUCCESS(rv, rv);

-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+    NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);

    nsCOMPtr<nsIDOMDocument> domDoc;
    rv = NS_NewDOMDocument(getter_AddRefs(domDoc),
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@ -16,7 +16,6 @@
 #include "nsGlobalWindow.h"
 #include "nsIScriptContext.h"
 #include "nsIScriptObjectPrincipal.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsIURI.h"
 #include "nsJSUtils.h"
 #include "nsNetUtil.h"
@ -1193,15 +1192,15 @@ ParsePrincipal(JSContext* cx, HandleString codebase, nsIPrincipal** principal)
        return false;
    }

-    nsCOMPtr<nsIScriptSecurityManager> secman =
-        do_GetService(kScriptSecurityManagerContractID);
-    NS_ENSURE_TRUE(secman, false);
-
    // We could allow passing in the app-id and browser-element info to the
    // sandbox constructor. But creating a sandbox based on a string is a
    // deprecated API so no need to add features to it.
-    rv = secman->GetNoAppCodebasePrincipal(uri, principal);
-    if (NS_FAILED(rv) || !*principal) {
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> prin =
+        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+    prin.forget(principal);
+
+    if (!*principal) {
        JS_ReportError(cx, "Creating Principal from URI failed");
        return false;
    }
--- a/netwerk/test/unit/test_auth_dialog_permission.js
+++ b/netwerk/test/unit/test_auth_dialog_permission.js
@ -111,11 +111,10 @@ function make_uri(url) {
 }

 function makeChan(loadingUrl, url, contentPolicy) {
-  var loadingUri = make_uri(loadingUrl);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(loadingUri);
-
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  var uri = make_uri(loadingUrl);
+  var principal = ssm.createCodebasePrincipal(uri, {});
  var ios = Components.classes["@mozilla.org/network/io-service;1"]
                      .getService(Components.interfaces.nsIIOService);
  var chan = ios.newChannel2(url,
--- a/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
@ -72,10 +72,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
@ -72,10 +72,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
@ -80,10 +80,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
@ -80,10 +80,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_request-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_request-error_canceled.js
@ -79,10 +79,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_request-error_passing.js
+++ b/netwerk/test/unit/test_fallback_request-error_passing.js
@ -79,10 +79,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_response-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_response-error_canceled.js
@ -79,10 +79,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_fallback_response-error_passing.js
+++ b/netwerk/test/unit/test_fallback_response-error_passing.js
@ -79,10 +79,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_offlinecache_custom-directory.js
+++ b/netwerk/test/unit/test_offlinecache_custom-directory.js
@ -103,10 +103,10 @@ function run_test()

  var pm = Cc["@mozilla.org/permissionmanager;1"]
    .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
  var uri = make_uri("http://localhost:4444");
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});

  if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
    dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
--- a/netwerk/test/unit/test_permmgr.js
+++ b/netwerk/test/unit/test_permmgr.js
@ -46,7 +46,7 @@ function run_test() {
  // put a few hosts in
  for (var i = 0; i < hosts.length; ++i) {
    let uri = ioService.newURI(hosts[i][0], null, null);
-    let principal = secMan.getNoAppCodebasePrincipal(uri);
+    let principal = secMan.createCodebasePrincipal(uri, {});

    pm.addFromPrincipal(principal, hosts[i][1], hosts[i][2]);
  }
@ -54,7 +54,7 @@ function run_test() {
  // test the result
  for (var i = 0; i < results.length; ++i) {
    let uri = ioService.newURI(results[i][0], null, null);
-    let principal = secMan.getNoAppCodebasePrincipal(uri);
+    let principal = secMan.createCodebasePrincipal(uri, {});

    do_check_eq(pm.testPermissionFromPrincipal(principal, results[i][1]), results[i][2]);
    do_check_eq(pm.testExactPermissionFromPrincipal(principal, results[i][1]), results[i][3]);
--- a/services/sync/Weave.js
+++ b/services/sync/Weave.js
@ -188,7 +188,8 @@ AboutWeaveLog.prototype = {
    // view. That way links to files can be opened.
    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
                .getService(Ci.nsIScriptSecurityManager);
-    let principal = ssm.getNoAppCodebasePrincipal(uri);
+    let principal = ssm.createCodebasePrincipal(uri, {});
+
    channel.owner = principal;
    return channel;
  }
--- a/testing/mochitest/tests/Harness_sanity/test_bug816847.html
+++ b/testing/mochitest/tests/Harness_sanity/test_bug816847.html
@ -34,14 +34,14 @@ const unknown = Ci.nsIPermissionManager.UNKNOWN_ACTION;
 const perms = ['network-events', 'geolocation', 'camera', 'alarms']

 function createPrincipal(aURI, aIsApp, aIsInBrowserElement) {
-  if(aIsApp) {
+  if (aIsApp) {
    var app = appsSvc.getAppByManifestURL(aURI);
    return app.principal;
  }

  var uri = Services.io.newURI(aURI, null, null);
  return Services.scriptSecurityManager
-                 .getNoAppCodebasePrincipal(uri);
+                 .createCodebasePrincipal(uri, {});
 }

 // test addPermission and removePermission
--- a/toolkit/components/downloads/ApplicationReputation.cpp
+++ b/toolkit/components/downloads/ApplicationReputation.cpp
@ -15,7 +15,6 @@
 #include "nsIHttpChannel.h"
 #include "nsIIOService.h"
 #include "nsIPrefService.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsISimpleEnumerator.h"
 #include "nsIStreamListener.h"
 #include "nsIStringStream.h"
@ -28,6 +27,7 @@
 #include "nsIX509CertDB.h"
 #include "nsIX509CertList.h"

+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
@ -50,6 +50,8 @@
 #include "nsILoadInfo.h"
 #include "nsContentUtils.h"

+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::Preferences;
 using mozilla::TimeStamp;
 using mozilla::Telemetry::Accumulate;
@ -293,13 +295,12 @@ PendingDBLookup::LookupSpecInternal(const nsACString& aSpec)
  rv = ios->NewURI(aSpec, nullptr, nullptr, getter_AddRefs(uri));
  NS_ENSURE_SUCCESS(rv, rv);

-  nsCOMPtr<nsIPrincipal> principal;
-  nsCOMPtr<nsIScriptSecurityManager> secMan =
-    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = secMan->GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
-  NS_ENSURE_SUCCESS(rv, rv);
+  OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal =
+    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+  if (!principal) {
+    return NS_ERROR_FAILURE;
+  }

  // Check local lists to see if the URI has already been whitelisted or
  // blacklisted.
--- a/toolkit/components/downloads/test/unit/test_app_rep.js
+++ b/toolkit/components/downloads/test/unit/test_app_rep.js
@ -317,11 +317,11 @@ add_test(function test_redirect_on_blocklist() {
  let secman = Services.scriptSecurityManager;
  let badRedirects = Cc["@mozilla.org/array;1"]
                       .createInstance(Ci.nsIMutableArray);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(exampleURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(exampleURI, {}),
                             false);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(blocklistedURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(blocklistedURI, {}),
                             false);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(whitelistedURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(whitelistedURI, {}),
                             false);
  gAppRep.queryReputation({
    sourceURI: whitelistedURI,
--- a/toolkit/components/places/BookmarkJSONUtils.jsm
+++ b/toolkit/components/places/BookmarkJSONUtils.jsm
@ -209,7 +209,7 @@ BookmarkImporter.prototype = {
      let uri = NetUtil.newURI(spec);
      let channel = NetUtil.newChannel({
        uri,
-        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri),
+        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(uri, {}),
        contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
      });
      let streamLoader = Cc["@mozilla.org/network/stream-loader;1"]
--- a/toolkit/components/places/nsLivemarkService.js
+++ b/toolkit/components/places/nsLivemarkService.js
@ -528,7 +528,7 @@ Livemark.prototype = {
                      createInstance(Ci.nsILoadGroup);
      let channel = NetUtil.newChannel({
        uri: this.feedURI.spec,
-        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(this.feedURI),
+        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(this.feedURI, {}),
        contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
      }).QueryInterface(Ci.nsIHttpChannel);
      channel.loadGroup = loadgroup;
--- a/toolkit/components/social/SocialService.jsm
+++ b/toolkit/components/social/SocialService.jsm
@ -153,7 +153,7 @@ XPCOMUtils.defineLazyGetter(SocialServiceInternal, "providers", function () {
 function getOriginActivationType(origin) {
  // if this is an about uri, treat it as a directory
  let URI = Services.io.newURI(origin, null, null);
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
  if (Services.scriptSecurityManager.isSystemPrincipal(principal) || origin == "moz-safe-about:home") {
    return "internal";
  }
@ -513,7 +513,7 @@ this.SocialService = {
    }
    // force/fixup origin
    let URI = Services.io.newURI(installOrigin, null, null);
-    principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
+    principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
    data.origin = principal.origin;

    // iconURL and name are required
@ -714,7 +714,7 @@ function SocialProvider(input) {
  this.postActivationURL = input.postActivationURL;
  this.origin = input.origin;
  let originUri = Services.io.newURI(input.origin, null, null);
-  this.principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(originUri);
+  this.principal = Services.scriptSecurityManager.createCodebasePrincipal(originUri, {});
  this.ambientNotificationIcons = {};
  this.errorState = null;
  this.frecency = 0;
--- a/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
+++ b/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
@ -221,7 +221,7 @@ checkUrls: function(urls, expected, cb)
  var doLookup = function() {
    if (urls.length > 0) {
      var fragment = urls.shift();
-      var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null));
+      var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null), {});
      dbservice.lookup(principal, allTables,
                                function(arg) {
                                  do_check_eq(expected, arg);
--- a/toolkit/components/url-classifier/tests/unit/test_dbservice.js
+++ b/toolkit/components/url-classifier/tests/unit/test_dbservice.js
@ -97,7 +97,7 @@ function checkNoHost()
  // Looking up a no-host uri such as a data: uri should throw an exception.
  var exception;
  try {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null), {});
    dbservice.lookup(principal, allTables);

    exception = false;
@ -198,26 +198,27 @@ function checkState()
 {
  numExpecting = 0;

+
  for (var key in phishExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
    dbservice.lookup(principal, allTables, phishExists, true);
    numExpecting++;
  }

  for (var key in phishUnexpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
    dbservice.lookup(principal, allTables, phishDoesntExist, true);
    numExpecting++;
  }

  for (var key in malwareExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
    dbservice.lookup(principal, allTables, malwareExists, true);
    numExpecting++;
  }

  for (var key in unwantedExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
    dbservice.lookup(principal, allTables, unwantedExists, true);
    numExpecting++;
  }
--- a/toolkit/components/url-classifier/tests/unit/test_digest256.js
+++ b/toolkit/components/url-classifier/tests/unit/test_digest256.js
@ -124,7 +124,7 @@ add_test(function test_update() {

 add_test(function test_url_not_whitelisted() {
  let uri = createURI("http://example.com");
-  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+  let principal = gSecMan.createCodebasePrincipal(uri, {});
  gDbService.lookup(principal, "goog-downloadwhite-digest256",
    function handleEvent(aEvent) {
      // This URI is not on any lists.
@ -137,7 +137,7 @@ add_test(function test_url_whitelisted() {
  // Hash of "whitelisted.com/" (canonicalized URL) is:
  // 93CA5F48E15E9861CD37C2D95DB43D23CC6E6DE5C3F8FA6E8BE66F97CC518907
  let uri = createURI("http://whitelisted.com");
-  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+  let principal = gSecMan.createCodebasePrincipal(uri, {});
  gDbService.lookup(principal, "goog-downloadwhite-digest256",
    function handleEvent(aEvent) {
      do_check_eq("goog-downloadwhite-digest256", aEvent);
--- a/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
+++ b/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
@ -185,9 +185,9 @@ function add_permission(aURI)
  check_permission_exists(aURI, false);
  let pm = Cc["@mozilla.org/permissionmanager;1"].
           getService(Ci.nsIPermissionManager);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(aURI);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(aURI, {});

  pm.addFromPrincipal(principal, PERMISSION_TYPE, PERMISSION_VALUE);
  check_permission_exists(aURI, true);
@ -205,9 +205,9 @@ function check_permission_exists(aURI, aExists)
 {
  let pm = Cc["@mozilla.org/permissionmanager;1"].
           getService(Ci.nsIPermissionManager);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(aURI);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(aURI, {});

  let perm = pm.testExactPermissionFromPrincipal(principal, PERMISSION_TYPE);
  let checker = aExists ? do_check_eq : do_check_neq;
@ -554,9 +554,10 @@ function test_storage_cleared()
 {
  function getStorageForURI(aURI)
  {
-    let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
-                    getService(Ci.nsIScriptSecurityManager).
-                    getNoAppCodebasePrincipal(aURI);
+    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+    let principal = ssm.createCodebasePrincipal(aURI, {});
+
    let dsm = Cc["@mozilla.org/dom/localStorage-manager;1"].
              getService(Ci.nsIDOMStorageManager);
    return dsm.createStorage(null, principal, "");
--- a/toolkit/modules/NewTabUtils.jsm
+++ b/toolkit/modules/NewTabUtils.jsm
@ -25,7 +25,7 @@ XPCOMUtils.defineLazyModuleGetter(this, "BinarySearch",

 XPCOMUtils.defineLazyGetter(this, "gPrincipal", function () {
  let uri = Services.io.newURI("about:newtab", null, null);
-  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
 });

 XPCOMUtils.defineLazyGetter(this, "gCryptoHash", function () {
--- a/toolkit/modules/PermissionsUtils.jsm
+++ b/toolkit/modules/PermissionsUtils.jsm
@ -39,8 +39,8 @@ function importPrefBranch(aPrefBranch, aPermission, aAction) {
          let httpsURI = Services.io.newURI("https://" + origin, null, null);

          principals = [
-            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpURI),
-            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpsURI)
+            Services.scriptSecurityManager.createCodebasePrincipal(httpURI, {}),
+            Services.scriptSecurityManager.createCodebasePrincipal(httpsURI, {})
          ];
        } catch (e2) {}
      }
--- a/toolkit/webapps/NativeApp.jsm
+++ b/toolkit/webapps/NativeApp.jsm
@ -457,10 +457,9 @@ function downloadIcon(aIconURI) {
    // installing the app, hence app.origin is not available yet and
    // therefore we can not call getAppCodebasePrincipal.
    let principal =
-      aIconURI.schemeIs("chrome") ? Services.scriptSecurityManager
-                                            .getSystemPrincipal()
-                                  : Services.scriptSecurityManager
-                                            .getNoAppCodebasePrincipal(aIconURI);
+      aIconURI.schemeIs("chrome") ?
+        Services.scriptSecurityManager.getSystemPrincipal() :
+        Services.scriptSecurityManager.createCodebasePrincipal(aIconURI, {});

    let channel = NetUtil.newChannel({
      uri: aIconURI,
--- a/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
+++ b/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
@ -29,7 +29,6 @@
 #include "nsICryptoHash.h"
 #include "nsIPermissionManager.h"
 #include "nsIPrincipal.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsNetCID.h"
 #include "nsServiceManagerUtils.h"
 #include "nsStreamUtils.h"
@ -718,9 +717,9 @@ nsOfflineCacheUpdateService::OfflineAppAllowedForURI(nsIURI *aURI,
                                                     nsIPrefBranch *aPrefBranch,
                                                     bool *aAllowed)
 {
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
    return OfflineAppPermForPrincipal(principal, aPrefBranch, false, aAllowed);
 }

@ -729,9 +728,9 @@ nsOfflineCacheUpdateService::OfflineAppPinnedForURI(nsIURI *aDocumentURI,
                                                    nsIPrefBranch *aPrefBranch,
                                                    bool *aPinned)
 {
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(aDocumentURI, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(aDocumentURI, attrs);
    return OfflineAppPermForPrincipal(principal, aPrefBranch, true, aPinned);
 }