import changes from `dev' branch of rmottola/Arctic-Fox:

- Bug 1165272 - Part 1: Remove getAppCodebasePrincipal. r=bholley (6ed136eaee)
3 months ago · 643393b1a3
34 changed files with 170 additions and 182 deletions
--- a/b2g/components/AboutServiceWorkers.jsm
+++ b/b2g/components/AboutServiceWorkers.jsm
@ -154,11 +154,10 @@ this.AboutServiceWorkers = {
          return;
        }

-        let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
+        let principal = Services.scriptSecurityManager.createCodebasePrincipal(
+          // TODO: Bug 1196652. use originNoSuffix
          Services.io.newURI(message.principal.origin, null, null),
-          message.principal.originAttributes.appId,
-          message.principal.originAttributes.inBrowser
-        );
+          message.principal.originAttributes);

        if (!message.scope) {
          self.sendError(message.id, "MissingScope");
--- a/b2g/components/ContentPermissionPrompt.js
+++ b/b2g/components/ContentPermissionPrompt.js
@ -205,9 +205,9 @@ ContentPermissionPrompt.prototype = {
    // URL.
    let notDenyAppPrincipal = function(type) {
      let url = Services.io.newURI(app.origin, null, null);
-      let principal = secMan.getAppCodebasePrincipal(url,
-                                                     request.principal.appId,
-                                                     /*mozbrowser*/false);
+      let principal =
+        secMan.createCodebasePrincipal(url,
+                                       {appId: request.principal.appId});
      let result = Services.perms.testExactPermissionFromPrincipal(principal,
                                                                   type.access);

--- a/caps/nsIScriptSecurityManager.idl
+++ b/caps/nsIScriptSecurityManager.idl
@ -26,7 +26,7 @@ class DomainPolicyClone;
 [ptr] native JSObjectPtr(JSObject);
 [ptr] native DomainPolicyClonePtr(mozilla::dom::DomainPolicyClone);

-[scriptable, uuid(9a8f0b70-6b9f-4e19-8885-7cfe24f4a42d)]
+[scriptable, uuid(73f92674-f59d-4c9b-a9b5-f7a3ae8ffa98)]
 interface nsIScriptSecurityManager : nsISupports
 {
    /**
@ -150,10 +150,12 @@ interface nsIScriptSecurityManager : nsISupports
     * @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID.
     * @param inMozBrowser is true if the principal has to be considered as
     * inside a mozbrowser frame.
+     *
+     * @deprecated use createCodebasePrincipal instead.
     */
-    nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
-                                         in unsigned long appId,
-                                         in boolean inMozBrowser);
+    [deprecated] nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
+                                                      in unsigned long appId,
+                                                      in boolean inMozBrowser);

    /**
     * Returns a principal that has the appId and inMozBrowser of the load
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -11,6 +11,7 @@
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/AutoRestore.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Casting.h"
 #include "mozilla/dom/ContentChild.h"
 #include "mozilla/dom/Element.h"
@ -9527,9 +9528,6 @@ nsDocShell::CreatePrincipalFromReferrer(nsIURI* aReferrer,
                                        nsIPrincipal** aResult)
 {
  nsresult rv;
-  nsCOMPtr<nsIScriptSecurityManager> secMan =
-    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  NS_ENSURE_SUCCESS(rv, rv);

  uint32_t appId;
  rv = GetAppId(&appId);
@ -9537,12 +9535,14 @@ nsDocShell::CreatePrincipalFromReferrer(nsIURI* aReferrer,
  bool isInBrowserElement;
  rv = GetIsInBrowserElement(&isInBrowserElement);
  NS_ENSURE_SUCCESS(rv, rv);
-  rv = secMan->GetAppCodebasePrincipal(aReferrer,
-                                       appId,
-                                       isInBrowserElement,
-                                       aResult);
-  NS_ENSURE_SUCCESS(rv, rv);
-  return NS_OK;
+
+  // TODO: Bug 1165466 - Pass mOriginAttributes directly.
+  OriginAttributes attrs(appId, isInBrowserElement);
+  nsCOMPtr<nsIPrincipal> prin =
+    BasePrincipal::CreateCodebasePrincipal(aReferrer, attrs);
+  prin.forget(aResult);
+
+  return *aResult ? NS_OK : NS_ERROR_FAILURE;
 }

 NS_IMETHODIMP
--- a/dom/apps/AppsUtils.jsm
+++ b/dom/apps/AppsUtils.jsm
@ -70,11 +70,9 @@ mozIApplication.prototype = {
    this._principal = null;

    try {
-      this._principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
+      this._principal = Services.scriptSecurityManager.createCodebasePrincipal(
        Services.io.newURI(this.origin, null, null),
-        this.localId,
-        false /* mozbrowser */
-      );
+        {appId: this.localId});
    } catch(e) {
      dump("Could not create app principal " + e + "\n");
    }
--- a/dom/apps/OfflineCacheInstaller.jsm
+++ b/dom/apps/OfflineCacheInstaller.jsm
@ -228,8 +228,8 @@ function installCache(app) {
  if (!cacheManifest.exists())
    return;

-  let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
-      app.origin, app.localId, false);
+  let principal =
+    Services.scriptSecurityManager.createCodebasePrincipal(app.origin, {appId: aApp.localId});

  // If the build has been correctly configured, this should not happen!
  // If we install the cache anyway, it won't be updateable. If we don't install
--- a/dom/apps/ScriptPreloader.jsm
+++ b/dom/apps/ScriptPreloader.jsm
@ -40,7 +40,7 @@ this.ScriptPreloader = {
      let toLoad = aManifest.precompile.length;
      let principal =
        Services.scriptSecurityManager
-                .getAppCodebasePrincipal(origin, aApp.localId, false);
+                .createCodebasePrincipal(origin, {appId: aApp.localId});

      aManifest.precompile.forEach((aPath) => {
        let uri = Services.io.newURI(aPath, null, origin);
--- a/dom/apps/Webapps.jsm
+++ b/dom/apps/Webapps.jsm
@ -813,8 +813,7 @@ this.DOMApplicationRegistry = {
    let uri = Services.io.newURI(aOrigin, null, null);
    let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
                   .getService(Ci.nsIScriptSecurityManager);
-    let principal = secMan.getAppCodebasePrincipal(uri, aId,
-                                                   /*mozbrowser*/ false);
+    let principal = secMan.createCodebasePrincipal(uri, {appId: aId});
    if (!dataStoreService.checkPermission(principal)) {
      return;
    }
@ -3348,8 +3347,9 @@ this.DOMApplicationRegistry = {
    let requestChannel;

    let appURI = NetUtil.newURI(aNewApp.origin, null, null);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
-                      appURI, aNewApp.localId, false);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(appURI,
+                                                             {appId: aNewApp.localId});

    if (aIsLocalFileInstall) {
      requestChannel = NetUtil.newChannel({
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@ -97,7 +97,6 @@
 #include "nsThreadUtils.h"
 #include "nsILoadContext.h"
 #include "nsIPresShell.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsIScrollableFrame.h"
 #include "nsView.h"
 #include "nsViewManager.h"
@ -194,6 +193,7 @@
 #include "nsRefreshDriver.h"

 #include "mozilla/AddonPathService.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
 #include "nsLocation.h"
@ -258,6 +258,8 @@ static const char kStorageEnabled[] = "dom.storage.enabled";
 using namespace mozilla;
 using namespace mozilla::dom;
 using namespace mozilla::dom::ipc;
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::TimeStamp;
 using mozilla::TimeDuration;
 using mozilla::dom::cache::CacheStorage;
@ -8311,21 +8313,14 @@ nsGlobalWindow::PostMessageMozOuter(JSContext* aCx, JS::Handle<JS::Value> aMessa
      return;
    }

-    nsCOMPtr<nsIScriptSecurityManager> ssm =
-      nsContentUtils::GetSecurityManager();
-    MOZ_ASSERT(ssm);
-
    nsCOMPtr<nsIPrincipal> principal = nsContentUtils::SubjectPrincipal();
    MOZ_ASSERT(principal);

-    uint32_t appId = principal->GetAppId();
-    bool isInBrowser = principal->GetIsInBrowserElement();
-
+    OriginAttributes attrs = BasePrincipal::Cast(principal)->OriginAttributesRef();
    // Create a nsIPrincipal inheriting the app/browser attributes from the
    // caller.
-    nsresult rv = ssm->GetAppCodebasePrincipal(originURI, appId, isInBrowser,
-                                             getter_AddRefs(providedPrincipal));
-    if (NS_WARN_IF(NS_FAILED(rv))) {
+    providedPrincipal = BasePrincipal::CreateCodebasePrincipal(originURI, attrs);
+    if (NS_WARN_IF(!providedPrincipal)) {
      return;
    }
  }
--- a/dom/browser-element/BrowserElementParent.js
+++ b/dom/browser-element/BrowserElementParent.js
@ -820,14 +820,16 @@ BrowserElementParent.prototype = {
      catch(e) {
        debug('Malformed referrer -- ' + e);
      }
+
+      // TODO Bug 1165466: use originAttributes from nsILoadContext.
+      let attrs = {appId: this._frameLoader.loadContext.appId,
+                   inBrowser: this._frameLoader.loadContext.isInBrowserElement};
      // This simply returns null if there is no principal available
      // for the requested uri. This is an acceptable fallback when
      // calling newChannelFromURI2.
-      principal = 
-        Services.scriptSecurityManager.getAppCodebasePrincipal(
-          referrer, 
-          this._frameLoader.loadContext.appId, 
-          this._frameLoader.loadContext.isInBrowserElement);
+      principal =
+        Services.scriptSecurityManager.createCodebasePrincipal(
+          referrer, attrs);
    }

    debug('Using principal? ' + !!principal);
--- a/dom/browser-element/mochitest/browserElement_Auth.js
+++ b/dom/browser-element/mochitest/browserElement_Auth.js
@ -89,15 +89,17 @@ function testAuthJarNoInterfere(e) {

  // Set a bunch of auth data that should not conflict with the correct auth data already
  // stored in the cache.
-  var principal = secMan.getAppCodebasePrincipal(uri, 1, false);
+  var attrs = {appId: 1};
+  var principal = secMan.createCodebasePrincipal(uri, attrs);
  authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                          'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                          '', 'httpuser', 'wrongpass', false, principal);
-  principal = secMan.getAppCodebasePrincipal(uri, 1, true);
+  attrs = {appId: 1, inBrowser: true};
+  principal = secMan.createCodebasePrincipal(uri, attrs);
  authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                          'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                          '', 'httpuser', 'wrongpass', false, principal);
-  principal = secMan.getAppCodebasePrincipal(uri, secMan.NO_APP_ID, false);
+  principal = secMan.createCodebasePrincipal(uri, {});
  authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                          'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                          '', 'httpuser', 'wrongpass', false, principal);
@ -127,7 +129,7 @@ function testAuthJarInterfere(e) {
  var uri = ioService.newURI("http://test/tests/dom/browser-element/mochitest/file_http_401_response.sjs", null, null);

  // Set some auth data that should overwrite the successful stored details.
-  var principal = secMan.getAppCodebasePrincipal(uri, secMan.NO_APP_ID, true);
+  var principal = secMan.createCodebasePrincipal(uri, {inBrowser: true});
  authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                          'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                          '', 'httpuser', 'wrongpass', false, principal);
--- a/dom/datastore/DataStoreService.cpp
+++ b/dom/datastore/DataStoreService.cpp
@ -14,6 +14,7 @@
 #include "mozilla/dom/DataStoreImplBinding.h"
 #include "nsIDataStore.h"

+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/StaticPtr.h"
@ -56,6 +57,9 @@
    return NS_ERROR_FAILURE;                                                \
  }

+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
+
 namespace mozilla {
 namespace dom {

@ -213,17 +217,10 @@ ResetPermission(uint32_t aAppId, const nsAString& aOriginURL,
    return rv;
  }

-  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-  if (!ssm) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsCOMPtr<nsIPrincipal> principal;
-  rv = ssm->GetAppCodebasePrincipal(uri, aAppId, false,
-                                    getter_AddRefs(principal));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
+  OriginAttributes attrs(aAppId, false);
+  nsCOMPtr<nsIPrincipal> principal =
+    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);

  nsCOMPtr<nsIPermissionManager> pm =
    do_GetService(NS_PERMISSIONMANAGER_CONTRACTID);
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@ -18638,12 +18638,6 @@ FactoryOp::CheckAtLeastOneAppHasPermission(ContentParent* aContentParent,
      return false;
    }

-    nsCOMPtr<nsIScriptSecurityManager> secMan =
-      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-    if (NS_WARN_IF(!secMan)) {
-      return false;
-    }
-
    nsCOMPtr<nsIPermissionManager> permMan =
      mozilla::services::GetPermissionManager();
    if (NS_WARN_IF(!permMan)) {
@ -18666,24 +18660,9 @@ FactoryOp::CheckAtLeastOneAppHasPermission(ContentParent* aContentParent,
        return false;
      }

-      nsString origin;
-      rv = app->GetOrigin(origin);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return false;
-      }
-
-      nsCOMPtr<nsIURI> uri;
-      rv = NS_NewURI(getter_AddRefs(uri), origin, nullptr, nullptr, ioService);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return false;
-      }
-
      nsCOMPtr<nsIPrincipal> principal;
-      rv = secMan->GetAppCodebasePrincipal(uri, appId, false,
-                                           getter_AddRefs(principal));
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return false;
-      }
+      app->GetPrincipal(getter_AddRefs(principal));
+      NS_ENSURE_TRUE(principal, false);

      uint32_t permission;
      rv = permMan->TestExactPermissionFromPrincipal(principal,
--- a/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
+++ b/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
@ -92,8 +92,9 @@ function testSteps()
      let uri = ios.newURI(params.url, null, null);
      let principal;
      if ("appId" in params) {
-        principal = ssm.getAppCodebasePrincipal(uri, params.appId,
-                                                params.inMozBrowser);
+        principal =
+          ssm.createCodebasePrincipal(uri, {appId: params.appId,
+                                            inBrowser: params.inMozBrowser});
      } else {
        principal = ssm.getNoAppCodebasePrincipal(uri);
      }
--- a/dom/ipc/AppProcessChecker.cpp
+++ b/dom/ipc/AppProcessChecker.cpp
@ -12,7 +12,6 @@
 #include "mozilla/hal_sandbox/PHalParent.h"
 #include "nsIAppsService.h"
 #include "nsIPrincipal.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsPrintfCString.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
@ -232,21 +231,10 @@ GetAppPrincipal(uint32_t aAppId)
  nsresult rv = appsService->GetAppByLocalId(aAppId, getter_AddRefs(app));
  NS_ENSURE_SUCCESS(rv, nullptr);

-  nsString origin;
-  rv = app->GetOrigin(origin);
-  NS_ENSURE_SUCCESS(rv, nullptr);
-
-  nsCOMPtr<nsIURI> uri;
-  NS_NewURI(getter_AddRefs(uri), origin);
+  nsCOMPtr<nsIPrincipal> principal;
+  app->GetPrincipal(getter_AddRefs(principal));

-  nsCOMPtr<nsIScriptSecurityManager> secMan =
-    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-
-  nsCOMPtr<nsIPrincipal> appPrincipal;
-  rv = secMan->GetAppCodebasePrincipal(uri, aAppId, false,
-                                       getter_AddRefs(appPrincipal));
-  NS_ENSURE_SUCCESS(rv, nullptr);
-  return appPrincipal.forget();
+  return principal.forget();
 }

 uint32_t
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@ -1594,23 +1594,15 @@ TabChild::MaybeRequestPreinitCamera()
      return;
    }

-    nsString manifestUrl = EmptyString();
-    appsService->GetManifestURLByLocalId(OwnAppId(), manifestUrl);
-    nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-    if (NS_WARN_IF(!secMan)) {
-      return;
-    }
-
-    nsCOMPtr<nsIURI> uri;
-    nsresult rv = NS_NewURI(getter_AddRefs(uri), manifestUrl);
+    nsCOMPtr<mozIApplication> app;
+    nsresult rv = appsService->GetAppByLocalId(OwnAppId(), getter_AddRefs(app));
    if (NS_WARN_IF(NS_FAILED(rv))) {
      return;
    }

    nsCOMPtr<nsIPrincipal> principal;
-    rv = secMan->GetAppCodebasePrincipal(uri, OwnAppId(), false,
-                                         getter_AddRefs(principal));
-    if (NS_WARN_IF(NS_FAILED(rv))) {
+    app->GetPrincipal(getter_AddRefs(principal));
+    if (NS_WARN_IF(!principal)) {
      return;
    }

--- a/dom/payment/Payment.jsm
+++ b/dom/payment/Payment.jsm
@ -236,8 +236,9 @@ let PaymentManager =  {
        if (systemAppId != Ci.nsIScriptSecurityManager.NO_APP_ID) {
          this.LOG("Granting firefox-accounts permission to " + provider.uri);
          let uri = Services.io.newURI(provider.uri, null, null);
-          let principal = Services.scriptSecurityManager
-                            .getAppCodebasePrincipal(uri, systemAppId, true);
+          let attrs = {appId: systemAppId, inBrowser: true};
+          let principal =
+            Services.scriptSecurityManager.createCodebasePrincipal(uri, attrs);

          Services.perms.addFromPrincipal(principal, "firefox-accounts",
                                          Ci.nsIPermissionManager.ALLOW_ACTION,
--- a/dom/permission/PermissionSettings.js
+++ b/dom/permission/PermissionSettings.js
@ -35,10 +35,14 @@ XPCOMUtils.defineLazyServiceGetter(this,

 PermissionSettings.prototype = {
  get: function get(aPermName, aManifestURL, aOrigin, aBrowserFlag) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
    debug("Get called with: " + aPermName + ", " + aManifestURL + ", " + aOrigin + ", " + aBrowserFlag);
    let uri = Services.io.newURI(aOrigin, null, null);
    let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, aBrowserFlag);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(uri,
+                                                             {appId: appID,
+                                                              inBrowser: aBrowserFlag});
    let result = Services.perms.testExactPermanentPermission(principal, aPermName);

    switch (result)
@ -59,11 +63,12 @@ PermissionSettings.prototype = {

  isExplicit: function isExplicit(aPermName, aManifestURL, aOrigin,
                                  aBrowserFlag) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
    debug("isExplicit: " + aPermName + ", " + aManifestURL + ", " + aOrigin);
    let uri = Services.io.newURI(aOrigin, null, null);
    let app = appsService.getAppByManifestURL(aManifestURL);
    let principal = Services.scriptSecurityManager
-      .getAppCodebasePrincipal(uri, app.localId, aBrowserFlag);
+      .createCodebasePrincipal(uri, {appId: app.localId, inBrowser: aBrowserFlag});

    return isExplicitInPermissionsTable(aPermName,
                                        principal.appStatus,
@ -99,9 +104,13 @@ PermissionSettings.prototype = {
  },

  remove: function remove(aPermName, aManifestURL, aOrigin) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
    let uri = Services.io.newURI(aOrigin, null, null);
    let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, true);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(uri,
+                                                             {appId: appID,
+                                                              inBrowser: true});

    if (principal.appStatus !== Ci.nsIPrincipal.APP_STATUS_NOT_INSTALLED) {
      let errorMsg = "PermissionSettings.js: '" + aOrigin + "'" +
--- a/dom/permission/PermissionSettings.jsm
+++ b/dom/permission/PermissionSettings.jsm
@ -67,9 +67,13 @@ this.PermissionSettingsModule = {


  _internalAddPermission: function _internalAddPermission(aData, aAllowAllChanges, aCallbacks) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.jsm
    let uri = Services.io.newURI(aData.origin, null, null);
    let app = appsService.getAppByManifestURL(aData.manifestURL);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, app.localId, aData.browserFlag);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(uri,
+                                                             {appId: app.localId,
+                                                              inBrowser: aData.browserFlag});

    let action;
    switch (aData.value)
@ -103,10 +107,14 @@ this.PermissionSettingsModule = {
  },

  getPermission: function getPermission(aPermName, aManifestURL, aOrigin, aBrowserFlag) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.jsm
    debug("getPermission: " + aPermName + ", " + aManifestURL + ", " + aOrigin);
    let uri = Services.io.newURI(aOrigin, null, null);
    let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, aBrowserFlag);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(uri,
+                                                             {appId: appID,
+                                                              inBrowser: aBrowserFlag});
    let result = Services.perms.testExactPermissionFromPrincipal(principal, aPermName);

    switch (result)
--- a/dom/quota/QuotaManager.cpp
+++ b/dom/quota/QuotaManager.cpp
@ -27,6 +27,7 @@
 #include <algorithm>
 #include "GeckoProfiler.h"
 #include "mozilla/Atomics.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/CondVar.h"
 #include "mozilla/dom/PContent.h"
 #include "mozilla/dom/asmjscache/AsmJSCache.h"
@ -5305,10 +5306,9 @@ StorageDirectoryHelper::RunOnMainThread()
          rv = secMan->GetSimpleCodebasePrincipal(uri,
                                                  getter_AddRefs(principal));
        } else {
-          rv = secMan->GetAppCodebasePrincipal(uri,
-                                               originProps.mAppId,
-                                               originProps.mInMozBrowser,
-                                               getter_AddRefs(principal));
+          OriginAttributes attrs(originProps.mAppId, originProps.mInMozBrowser);
+          principal = BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+          rv = principal ? NS_OK : NS_ERROR_FAILURE;
        }
        if (NS_WARN_IF(NS_FAILED(rv))) {
          return rv;
--- a/extensions/cookie/nsPermissionManager.cpp
+++ b/extensions/cookie/nsPermissionManager.cpp
@ -36,6 +36,7 @@
 #include "nsIDocument.h"
 #include "mozilla/net/NeckoMessageUtils.h"
 #include "mozilla/Preferences.h"
+#include "mozilla/BasePrincipal.h"
 #include "nsReadLine.h"
 #include "mozilla/Telemetry.h"
 #include "nsIConsoleService.h"
@ -104,9 +105,6 @@ nsresult
 GetPrincipal(const nsACString& aHost, uint32_t aAppId, bool aIsInBrowserElement,
             nsIPrincipal** aPrincipal)
 {
-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
-
  nsCOMPtr<nsIURI> uri;
  nsresult rv = NS_NewURI(getter_AddRefs(uri), aHost);
  if (NS_FAILED(rv)) {
@ -123,7 +121,13 @@ GetPrincipal(const nsACString& aHost, uint32_t aAppId, bool aIsInBrowserElement,
    NS_ENSURE_SUCCESS(rv, rv);
  }

-  return secMan->GetAppCodebasePrincipal(uri, aAppId, aIsInBrowserElement, aPrincipal);
+  // TODO: Bug 1165267 - Use OriginAttributes for nsCookieService
+  mozilla::OriginAttributes attrs(aAppId, aIsInBrowserElement);
+  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+
+  principal.forget(aPrincipal);
+  return NS_OK;
 }

 nsresult
--- a/extensions/cookie/test/test_app_uninstall_permissions.html
+++ b/extensions/cookie/test/test_app_uninstall_permissions.html
@ -67,19 +67,22 @@ function onInstall() {

  var currentPermissionCount = getPermissionCountForApp(-1);

-  var principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
-                                                 testAppId, false);
+  var attrs = {appId: testAppId};
+  var principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
+                                                 attrs);

  permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);
  permManager.addFromPrincipal(principal, "foo", Ci.nsIPermissionManager.DENY_ACTION);
  permManager.addFromPrincipal(principal, "bar", Ci.nsIPermissionManager.ALLOW_ACTION, Ci.nsIPermissionManager.EXPIRE_SESSION, 0);

-  principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
-                                             testAppId, true);
+  attrs = {appId: testAppId, inBrowser: true};
+  principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
+                                             attrs);
  permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);

-  principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.org", null, null),
-                                             testAppId, false);
+  attrs = {appId: testAppId};
+  principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.org", null, null),
+                                             attrs);
  permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);

  is(getPermissionCountForApp(testAppId), 5, "App should have 5 permissions");
--- a/extensions/cookie/test/unit/test_permmanager_cleardata.js
+++ b/extensions/cookie/test/unit/test_permmanager_cleardata.js
@ -6,7 +6,8 @@ let pm;
 // Create a principal based on the { origin, appId, browserElement }.
 function createPrincipal(aOrigin, aAppId, aBrowserElement)
 {
-  return Services.scriptSecurityManager.getAppCodebasePrincipal(NetUtil.newURI(aOrigin), aAppId, aBrowserElement);
+  var attrs = {appId: aAppId, inBrowser: aBrowserElement};
+  return Services.scriptSecurityManager.createCodebasePrincipal(NetUtil.newURI(aOrigin), attrs);
 }

 // Return the subject required by 'webapps-clear-data' notification.
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@ -6,6 +6,7 @@

 #include "MainThreadUtils.h"
 #include "mozilla/Assertions.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/ipc/PBackgroundSharedTypes.h"
 #include "mozilla/net/NeckoChannelParams.h"
 #include "nsPrincipal.h"
@ -23,6 +24,8 @@ namespace net {
 class OptionalLoadInfoArgs;
 }

+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using namespace mozilla::net;

 namespace ipc {
@ -77,10 +80,10 @@ PrincipalInfoToPrincipal(const PrincipalInfo& aPrincipalInfo,
      if (info.appId() == nsIScriptSecurityManager::UNKNOWN_APP_ID) {
        rv = secMan->GetSimpleCodebasePrincipal(uri, getter_AddRefs(principal));
      } else {
-        rv = secMan->GetAppCodebasePrincipal(uri,
-                                             info.appId(),
-                                             info.isInBrowserElement(),
-                                             getter_AddRefs(principal));
+        // TODO: Bug 1167100 - User nsIPrincipal.originAttribute in ContentPrincipalInfo
+        OriginAttributes attrs(info.appId(), info.isInBrowserElement());
+        principal = BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+        rv = principal ? NS_OK : NS_ERROR_FAILURE;
      }
      if (NS_WARN_IF(NS_FAILED(rv))) {
        return nullptr;
--- a/netwerk/cookie/CookieServiceParent.cpp
+++ b/netwerk/cookie/CookieServiceParent.cpp
@ -7,6 +7,7 @@
 #include "mozilla/dom/PContentParent.h"
 #include "mozilla/net/NeckoParent.h"

+#include "mozilla/BasePrincipal.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "nsCookieService.h"
 #include "nsIScriptSecurityManager.h"
@ -16,6 +17,8 @@
 #include "SerializedLoadContext.h"

 using namespace mozilla::ipc;
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::dom::PContentParent;
 using mozilla::net::NeckoParent;

@ -29,16 +32,16 @@ CreateDummyChannel(nsIURI* aHostURI, uint32_t aAppId, bool aInMozBrowser,
 {
  MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);

-  nsCOMPtr<nsIPrincipal> principal;
-  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-  nsresult rv = ssm->GetAppCodebasePrincipal(aHostURI, aAppId, aInMozBrowser,
-                                             getter_AddRefs(principal));
-  if (NS_FAILED(rv)) {
+  // TODO: Bug 1165267 - Use OriginAttributes for nsCookieService 
+  OriginAttributes attrs(aAppId, aInMozBrowser);
+  nsCOMPtr<nsIPrincipal> principal =
+    BasePrincipal::CreateCodebasePrincipal(aHostURI, attrs);
+  if (!principal) {
    return;
  }

  nsCOMPtr<nsIURI> dummyURI;
-  rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
+  nsresult rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
  if (NS_FAILED(rv)) {
      return;
  }
--- a/netwerk/protocol/http/HttpChannelParent.cpp
+++ b/netwerk/protocol/http/HttpChannelParent.cpp
@ -17,7 +17,6 @@
 #include "nsNetUtil.h"
 #include "nsISupportsPriority.h"
 #include "nsIAuthPromptProvider.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsSerializationHelper.h"
 #include "nsISerializable.h"
 #include "nsIAssociatedContentSecurity.h"
@ -34,7 +33,10 @@
 #include "mozilla/LoadInfo.h"
 #include "nsIHttpHeaderVisitor.h"
 #include "nsQueryObject.h"
+#include "mozilla/BasePrincipal.h"

+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using namespace mozilla::dom;
 using namespace mozilla::ipc;

@ -464,17 +466,15 @@ HttpChannelParent::DoAsyncOpen(  const URIParams&           aURI,
        mLoadContext->GetIsInBrowserElement(&inBrowser);
      }

+      // TODO: Bug 1165466 - use originAttribute in nsILoadContext.
+      OriginAttributes attrs(appId, inBrowser);
+      nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+
      bool chooseAppCache = false;
-      nsCOMPtr<nsIScriptSecurityManager> secMan =
-        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-      if (secMan) {
-        nsCOMPtr<nsIPrincipal> principal;
-        secMan->GetAppCodebasePrincipal(uri, appId, inBrowser, getter_AddRefs(principal));
-
-        // This works because we've already called SetNotificationCallbacks and
-        // done mPBOverride logic by this point.
-        chooseAppCache = NS_ShouldCheckAppCache(principal, NS_UsePrivateBrowsing(mChannel));
-      }
+      // This works because we've already called SetNotificationCallbacks and
+      // done mPBOverride logic by this point.
+      chooseAppCache = NS_ShouldCheckAppCache(principal, NS_UsePrivateBrowsing(mChannel));

      appCacheChan->SetChooseApplicationCache(chooseAppCache);
    }
--- a/netwerk/test/unit/test_auth_jar.js
+++ b/netwerk/test/unit/test_auth_jar.js
@ -13,9 +13,9 @@ function run_test() {

  var secMan = Cc["@mozilla.org/scriptsecuritymanager;1"].getService(Ci.nsIScriptSecurityManager);
  const kURI1 = "http://example.com";
-  var app1 = secMan.getAppCodebasePrincipal(createURI(kURI1), 1, false);
-  var app10 = secMan.getAppCodebasePrincipal(createURI(kURI1), 10, false);
-  var app1browser = secMan.getAppCodebasePrincipal(createURI(kURI1), 1, true);
+  var app1 = secMan.createCodebasePrincipal(createURI(kURI1), {appId: 1});
+  var app10 = secMan.createCodebasePrincipal(createURI(kURI1),{appId: 10});
+  var app1browser = secMan.createCodebasePrincipal(createURI(kURI1), {appId: 1, inBrowser: true});

  var am = Cc["@mozilla.org/network/http-auth-manager;1"].
           getService(Ci.nsIHttpAuthManager);
--- a/services/fxaccounts/tests/xpcshell/test_manager.js
+++ b/services/fxaccounts/tests/xpcshell/test_manager.js
@ -25,7 +25,7 @@ function makePrincipal(origin, appId) {
  let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
                 .getService(Ci.nsIScriptSecurityManager);
  let uri = Services.io.newURI(origin, null, null);
-  return secMan.getAppCodebasePrincipal(uri, appId, false);
+  return secMan.createCodebasePrincipal(uri, {appId: appId});
 }
 let principal = makePrincipal('app://settings.gaiamobile.org', 27, false);

--- a/services/mobileid/MobileIdentityManager.jsm
+++ b/services/mobileid/MobileIdentityManager.jsm
@ -895,9 +895,7 @@ this.MobileIdentityManager = {
  getMobileIdAssertion: function(aPrincipal, aPromiseId, aOptions) {
    log.debug("getMobileIdAssertion ${}", aPrincipal);

-    let uri = Services.io.newURI(aPrincipal.origin, null, null);
-    let principal = securityManager.getAppCodebasePrincipal(
-      uri, aPrincipal.appId, aPrincipal.isInBrowserElement);
+    let principal = aPrincipal;
    let manifestURL = appsService.getManifestURLByLocalId(aPrincipal.appId);

    let permission = permissionManager.testPermissionFromPrincipal(
--- a/services/mobileid/tests/xpcshell/head.js
+++ b/services/mobileid/tests/xpcshell/head.js
@ -125,9 +125,10 @@ function addPermission(aAction) {
  let uri = Cc["@mozilla.org/network/io-service;1"]
              .getService(Ci.nsIIOService)
              .newURI(ORIGIN, null, null);
+  let attrs = {appId: APP_ID};
  let _principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
                     .getService(Ci.nsIScriptSecurityManager)
-                     .getAppCodebasePrincipal(uri, APP_ID, false);
+                     .createCodebasePrincipal(uri, attrs);
  let pm = Cc["@mozilla.org/permissionmanager;1"]
             .getService(Ci.nsIPermissionManager);
  pm.addFromPrincipal(_principal, MOBILEID_PERM, aAction);
@ -137,9 +138,10 @@ function removePermission() {
  let uri = Cc["@mozilla.org/network/io-service;1"]
              .getService(Ci.nsIIOService)
              .newURI(ORIGIN, null, null);
+  let attrs = {appId: APP_ID};
  let _principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
                     .getService(Ci.nsIScriptSecurityManager)
-                     .getAppCodebasePrincipal(uri, APP_ID, false);
+                     .createCodebasePrincipal(uri, attrs);
  let pm = Cc["@mozilla.org/permissionmanager;1"]
             .getService(Ci.nsIPermissionManager);
  pm.removeFromPrincipal(_principal, MOBILEID_PERM);
--- a/testing/marionette/driver/marionette_driver/marionette.py
+++ b/testing/marionette/driver/marionette_driver/marionette.py
@ -809,9 +809,10 @@ class Marionette(object):
                Components.utils.import("resource://gre/modules/Services.jsm");
                let perm = arguments[0];
                let secMan = Services.scriptSecurityManager;
-                let principal = secMan.getAppCodebasePrincipal(
+                let attrs = {appId: perm.appId, inBrowser: perm.isInBrowserElement};
+                let principal = secMan.createCodebasePrincipal(
                                Services.io.newURI(perm.url, null, null),
-                                perm.appId, perm.isInBrowserElement);
+                                attrs);
                let testPerm = Services.perms.testPermissionFromPrincipal(
                               principal, perm.type);
                return testPerm;
@ -870,8 +871,9 @@ class Marionette(object):
                Components.utils.import("resource://gre/modules/Services.jsm");
                let perm = arguments[0];
                let secMan = Services.scriptSecurityManager;
-                let principal = secMan.getAppCodebasePrincipal(Services.io.newURI(perm.url, null, null),
-                                perm.appId, perm.isInBrowserElement);
+                let attrs = {appId: perm.appId, inBrowser: perm.isInBrowserElement};
+                let principal = secMan.createCodebasePrincipal(Services.io.newURI(perm.url, null, null),
+                                                               attrs);
                Services.perms.addFromPrincipal(principal, perm.type, perm.action);
                return true;
                """, script_args=[perm])
--- a/testing/mochitest/tests/Harness_sanity/test_bug816847.html
+++ b/testing/mochitest/tests/Harness_sanity/test_bug816847.html
@ -36,12 +36,7 @@ const perms = ['network-events', 'geolocation', 'camera', 'alarms']
 function createPrincipal(aURI, aIsApp, aIsInBrowserElement) {
  if(aIsApp) {
    var app = appsSvc.getAppByManifestURL(aURI);
-    var localId = appsSvc.getAppLocalIdByManifestURL(aURI);
-    var uri = Services.io.newURI(app.origin, null, null);
-    return Services.scriptSecurityManager
-                   .getAppCodebasePrincipal(uri,
-                                            localId,
-                                            aIsInBrowserElement);
+    return app.principal;
  }

  var uri = Services.io.newURI(aURI, null, null);
--- a/testing/specialpowers/content/SpecialPowersObserverAPI.js
+++ b/testing/specialpowers/content/SpecialPowersObserverAPI.js
@ -314,7 +314,9 @@ SpecialPowersObserverAPI.prototype = {
        let msg = aMessage.json;

        let secMan = Services.scriptSecurityManager;
-        let principal = secMan.getAppCodebasePrincipal(this._getURI(msg.url), msg.appId, msg.isInBrowserElement);
+        // TODO: Bug 1196665 - Add originAttributes into SpecialPowers
+        let attrs = {appId: msg.appId, inBrowser: msg.isInBrowserElement};
+        let principal = secMan.createCodebasePrincipal(this._getURI(msg.url), attrs);

        switch (msg.op) {
          case "add":
--- a/uriloader/prefetch/OfflineCacheUpdateParent.cpp
+++ b/uriloader/prefetch/OfflineCacheUpdateParent.cpp
@ -5,6 +5,7 @@

 #include "OfflineCacheUpdateParent.h"

+#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/TabParent.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/unused.h"
@ -12,9 +13,10 @@
 #include "nsIApplicationCache.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsNetUtil.h"
-#include "nsContentUtils.h"

 using namespace mozilla::ipc;
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::dom::TabParent;

 //
@ -91,10 +93,10 @@ OfflineCacheUpdateParent::Schedule(const URIParams& aManifestURI,

    bool offlinePermissionAllowed = false;

-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetAppCodebasePrincipal(manifestURI, mAppId, mIsInBrowserElement,
-                                getter_AddRefs(principal));
+    // TODO: Bug 1165466 - use OriginAttributes
+    OriginAttributes attrs(mAppId, mIsInBrowserElement);
+    nsCOMPtr<nsIPrincipal> principal =
+      BasePrincipal::CreateCodebasePrincipal(manifestURI, attrs);

    nsresult rv = service->OfflineAppAllowed(
        principal, nullptr, &offlinePermissionAllowed);