Bug 1165272 - Part 2: Replace getNoAppCodebasePrincipal. r=bholley
authorYoshi Huang <allstars.chh@mozilla.com>
Mon, 24 Aug 2015 01:18:00 -0400
changeset 259051 8d116b0d696f461cd63840f1dd21430b47e740a5
parent 259050 8b37e978d6078937778b05febdb787d6313b1e2f
child 259052 2bd4cb790c48d3f6d3da0ea9b03ce5cfb40e6b46
push id14810
push userryanvm@gmail.com
push dateTue, 25 Aug 2015 00:58:35 +0000
treeherderfx-team@04b8c412d9f5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbholley
bugs1165272
milestone43.0a1
Bug 1165272 - Part 2: Replace getNoAppCodebasePrincipal. r=bholley
browser/base/content/aboutSocialError.xhtml
browser/base/content/test/general/browser_offlineQuotaNotification.js
browser/base/content/test/general/browser_sanitizeDialog.js
browser/base/content/test/general/test_offlineNotification.html
browser/base/content/test/general/test_offline_gzip.html
browser/base/content/test/newtab/head.js
browser/components/feeds/FeedConverter.js
browser/components/preferences/aboutPermissions.js
browser/components/preferences/permissions.js
browser/components/preferences/tests/browser_permissions.js
browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
browser/extensions/pdfjs/content/PdfStreamConverter.jsm
browser/extensions/shumway/chrome/SpecialStorage.jsm
browser/modules/Feeds.jsm
caps/nsIScriptSecurityManager.idl
dom/cache/test/mochitest/test_chrome_constructor.html
dom/indexedDB/test/head.js
dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
dom/indexedDB/test/unit/test_idle_maintenance.js
dom/indexedDB/test/unit/test_metadataRestore.js
dom/indexedDB/test/unit/test_open_for_principal.js
dom/indexedDB/test/unit/test_temporary_storage.js
dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
extensions/cookie/nsPermission.cpp
extensions/cookie/nsPermissionManager.cpp
extensions/cookie/test/unit/test_permmanager_defaults.js
extensions/cookie/test/unit/test_permmanager_expiration.js
extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
extensions/cookie/test/unit/test_permmanager_idn.js
extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
extensions/cookie/test/unit/test_permmanager_local_files.js
extensions/cookie/test/unit/test_permmanager_matches.js
extensions/cookie/test/unit/test_permmanager_matchesuri.js
extensions/cookie/test/unit/test_permmanager_notifications.js
extensions/cookie/test/unit/test_permmanager_removesince.js
extensions/cookie/test/unit/test_permmanager_subdomains.js
extensions/cookie/test/unit_ipc/test_child.js
extensions/cookie/test/unit_ipc/test_parent.js
gfx/thebes/gfxSVGGlyphs.cpp
js/xpconnect/src/Sandbox.cpp
netwerk/test/unit/test_auth_dialog_permission.js
netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
netwerk/test/unit/test_fallback_no-cache-entry_passing.js
netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
netwerk/test/unit/test_fallback_request-error_canceled.js
netwerk/test/unit/test_fallback_request-error_passing.js
netwerk/test/unit/test_fallback_response-error_canceled.js
netwerk/test/unit/test_fallback_response-error_passing.js
netwerk/test/unit/test_offlinecache_custom-directory.js
netwerk/test/unit/test_packaged_app_service.js
netwerk/test/unit/test_packaged_app_service_paths.js
netwerk/test/unit/test_permmgr.js
services/sync/Weave.js
testing/mochitest/tests/Harness_sanity/test_bug816847.html
toolkit/components/downloads/ApplicationReputation.cpp
toolkit/components/downloads/test/unit/test_app_rep.js
toolkit/components/places/BookmarkJSONUtils.jsm
toolkit/components/places/nsLivemarkService.js
toolkit/components/social/SocialService.jsm
toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
toolkit/components/url-classifier/tests/unit/test_dbservice.js
toolkit/components/url-classifier/tests/unit/test_digest256.js
toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
toolkit/modules/NewTabUtils.jsm
toolkit/modules/PermissionsUtils.jsm
toolkit/webapps/NativeApp.jsm
uriloader/prefetch/nsOfflineCacheUpdateService.cpp
--- a/browser/base/content/aboutSocialError.xhtml
+++ b/browser/base/content/aboutSocialError.xhtml
@@ -50,17 +50,18 @@
       let mode = searchParams.get("mode");
       config.origin = searchParams.get("origin");
       let encodedURL = searchParams.get("url");
       let url = decodeURIComponent(encodedURL);
       // directory does not have origin set, in that case use the url origin for
       // the error message.
       if (!config.origin) {
         let URI = Services.io.newURI(url, null, null);
-        config.origin = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI).origin;
+        config.origin =
+          Services.scriptSecurityManager.createCodebasePrincipal(URI, {}).origin;
       }
 
       switch (mode) {
         case "compactInfo":
           document.getElementById("btnTryAgain").style.display = 'none';
           break;
         case "tryAgainOnly":
           //intentional fall-through
--- a/browser/base/content/test/general/browser_offlineQuotaNotification.js
+++ b/browser/base/content/test/general/browser_offlineQuotaNotification.js
@@ -6,17 +6,17 @@
 // Test offline quota warnings - must be run as a mochitest-browser test or
 // else the test runner gets in the way of notifications due to bug 857897.
 
 const URL = "http://mochi.test:8888/browser/browser/base/content/test/general/offlineQuotaNotification.html";
 
 registerCleanupFunction(function() {
   // Clean up after ourself
   let uri = Services.io.newURI(URL, null, null);
-  var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
   Services.perms.removeFromPrincipal(principal, "offline-app");
   Services.prefs.clearUserPref("offline-apps.quota.warn");
   Services.prefs.clearUserPref("offline-apps.allow_by_default");
 });
 
 // Check that the "preferences" UI is opened and showing which websites have
 // offline storage permissions - currently this is the "network" tab in the
 // "advanced" pane.
--- a/browser/base/content/test/general/browser_sanitizeDialog.js
+++ b/browser/base/content/test/general/browser_sanitizeDialog.js
@@ -559,17 +559,17 @@ var gAllTests = [
     var URL = "http://www.example.com";
 
     var ios = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService);
     var URI = ios.newURI(URL, null, null);
 
     var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
              .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.getNoAppCodebasePrincipal(URI);
+    var principal = sm.createCodebasePrincipal(URI, {});
 
     // Give www.example.com privileges to store offline data
     var pm = Cc["@mozilla.org/permissionmanager;1"]
              .getService(Ci.nsIPermissionManager);
     pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
     pm.addFromPrincipal(principal, "offline-app", Ci.nsIOfflineCacheUpdateService.ALLOW_NO_WARN);
 
     // Store something to the offline cache
@@ -629,17 +629,17 @@ var gAllTests = [
     var URL = "http://www.example.com";
 
     var ios = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService);
     var URI = ios.newURI(URL, null, null);
 
     var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
              .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.getNoAppCodebasePrincipal(URI);
+    var principal = sm.createCodebasePrincipal(URI, {});
 
     // Open the dialog
     let wh = new WindowHelper();
     wh.onload = function () {
       this.selectDuration(Sanitizer.TIMESPAN_EVERYTHING);
       // Show details
       this.toggleDetails();
       // Clear only offlineApps
--- a/browser/base/content/test/general/test_offlineNotification.html
+++ b/browser/base/content/test/general/test_offlineNotification.html
@@ -38,22 +38,20 @@ window.addEventListener("message", funct
       // Clean up after ourself
       var pm = Cc["@mozilla.org/permissionmanager;1"].
                getService(SpecialPowers.Ci.nsIPermissionManager);
       var ioService = Cc["@mozilla.org/network/io-service;1"]
                         .getService(SpecialPowers.Ci.nsIIOService);
       var uri1 = ioService.newURI(frames.testFrame.location, null, null);
       var uri2 = ioService.newURI(frames.testFrame3.location, null, null);
 
-      var principal1 = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(uri1);
-      var principal2 = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(uri2);
+      var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                  .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
+      var principal1 = ssm.createCodebasePrincipal(uri1, {});
+      var principal2 = ssm.createCodebasePrincipal(uri2, {});
 
       pm.removeFromPrincipal(principal1, "offline-app");
       pm.removeFromPrincipal(principal2, "offline-app");
 
       offlineByDefault.reset();
 
       SimpleTest.finish();
     }
--- a/browser/base/content/test/general/test_offline_gzip.html
+++ b/browser/base/content/test/general/test_offline_gzip.html
@@ -34,19 +34,19 @@ SimpleTest.waitForExplicitFinish();
 function finishTest() {
   // Clean up after ourselves.
   var Cc = SpecialPowers.Cc;
   var pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(SpecialPowers.Ci.nsIPermissionManager);
 
   var uri = Cc["@mozilla.org/network/io-service;1"].getService(SpecialPowers.Ci.nsIIOService)
               .newURI(window.frames[0].location, null, null);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                   .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                   .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   pm.removeFromPrincipal(principal, "offline-app");
 
   window.removeEventListener("message", handleMessageEvents, false);
 
   offlineByDefault.reset();
   SimpleTest.finish();  
 }
--- a/browser/base/content/test/newtab/head.js
+++ b/browser/base/content/test/newtab/head.js
@@ -13,17 +13,17 @@ Cu.import("resource:///modules/Directory
 Cu.import("resource://testing-common/PlacesTestUtils.jsm", tmp);
 Cc["@mozilla.org/moz/jssubscript-loader;1"]
   .getService(Ci.mozIJSSubScriptLoader)
   .loadSubScript("chrome://browser/content/sanitize.js", tmp);
 Cu.import("resource://gre/modules/Timer.jsm", tmp);
 let {Promise, NewTabUtils, Sanitizer, clearTimeout, setTimeout, DirectoryLinksProvider, PlacesTestUtils} = tmp;
 
 let uri = Services.io.newURI("about:newtab", null, null);
-let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
 
 let isMac = ("nsILocalFileMac" in Ci);
 let isLinux = ("@mozilla.org/gnome-gconf-service;1" in Cc);
 let isWindows = ("@mozilla.org/windows-registry-key;1" in Cc);
 let gWindow = window;
 
 // Default to dummy/empty directory links
 let gDirectorySource = 'data:application/json,{"test":1}';
--- a/browser/components/feeds/FeedConverter.js
+++ b/browser/components/feeds/FeedConverter.js
@@ -249,17 +249,17 @@ FeedConverter.prototype = {
         // page can access it.
         feedService.addFeedResult(result);
 
         // Now load the actual XUL document.
         var aboutFeedsURI = ios.newURI("about:feeds", null, null);
         chromeChannel = ios.newChannelFromURIWithLoadInfo(aboutFeedsURI, loadInfo);
         chromeChannel.originalURI = result.uri;
         chromeChannel.owner =
-          Services.scriptSecurityManager.getNoAppCodebasePrincipal(aboutFeedsURI);
+          Services.scriptSecurityManager.createCodebasePrincipal(aboutFeedsURI, {});
       } else {
         chromeChannel = ios.newChannelFromURIWithLoadInfo(result.uri, loadInfo);
       }
 
       chromeChannel.loadGroup = this._request.loadGroup;
       chromeChannel.asyncOpen(this._listener, null);
     }
     finally {
--- a/browser/components/preferences/aboutPermissions.js
+++ b/browser/components/preferences/aboutPermissions.js
@@ -492,17 +492,17 @@ let AboutPermissions = {
     gSitesStmt.params.limit = this.PLACES_SITES_LIMIT;
     gSitesStmt.executeAsync({
       handleResult: function(aResults) {
         AboutPermissions.startSitesListBatch();
         let row;
         while (row = aResults.getNextRow()) {
           let spec = row.getResultByName("url");
           let uri = NetUtil.newURI(spec);
-          let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+          let principal = gSecMan.createCodebasePrincipal(uri, {});
 
           AboutPermissions.addPrincipal(principal);
         }
         AboutPermissions.endSitesListBatch();
       },
       handleError: function(aError) {
         Cu.reportError("AboutPermissions: " + aError);
       },
@@ -543,33 +543,33 @@ let AboutPermissions = {
     let logins = Services.logins.getAllLogins();
     logins.forEach(function(aLogin) {
       if (itemCnt % this.LIST_BUILD_CHUNK == 0) {
         yield true;
       }
       try {
         // aLogin.hostname is a string in origin URL format (e.g. "http://foo.com")
         let uri = NetUtil.newURI(aLogin.hostname);
-        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+        let principal = gSecMan.createCodebasePrincipal(uri, {});
         this.addPrincipal(principal);
       } catch (e) {
         // newURI will throw for add-ons logins stored in chrome:// URIs
       }
       itemCnt++;
     }, this);
 
     let disabledHosts = Services.logins.getAllDisabledHosts();
     disabledHosts.forEach(function(aHostname) {
       if (itemCnt % this.LIST_BUILD_CHUNK == 0) {
         yield true;
       }
       try {
         // aHostname is a string in origin URL format (e.g. "http://foo.com")
         let uri = NetUtil.newURI(aHostname);
-        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+        let principal = gSecMan.createCodebasePrincipal(uri, {});
         this.addPrincipal(principal);
       } catch (e) {
         // newURI will throw for add-ons logins stored in chrome:// URIs
       }
       itemCnt++;
     }, this);
 
     let enumerator = Services.perms.enumerator;
--- a/browser/components/preferences/permissions.js
+++ b/browser/components/preferences/permissions.js
@@ -90,22 +90,22 @@ var gPermissionManager = {
       // help catch cases where the URI parser parsed something like
       // `localhost:8080` as having the scheme `localhost`, rather than being
       // an invalid URI. A canonical origin representation is required by the
       // permission manager for storage, so this won't prevent any valid
       // permissions from being entered by the user.
       let uri;
       try {
         uri = Services.io.newURI(input_url, null, null);
-        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
         // If we have ended up with an unknown scheme, the following will throw.
         principal.origin;
       } catch(ex) {
         uri = Services.io.newURI("http://" + input_url, null, null);
-        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
         // If we have ended up with an unknown scheme, the following will throw.
         principal.origin;
       }
     } catch(ex) {
       var message = this._bundle.getString("invalidURI");
       var title = this._bundle.getString("invalidURITitle");
       Services.prompt.alert(window, title, message);
       return;
--- a/browser/components/preferences/tests/browser_permissions.js
+++ b/browser/components/preferences/tests/browser_permissions.js
@@ -3,18 +3,20 @@
 
 Components.utils.import("resource://gre/modules/NetUtil.jsm");
 
 const ABOUT_PERMISSIONS_SPEC = "about:permissions";
 
 const TEST_URI_1 = NetUtil.newURI("http://mozilla.com/");
 const TEST_URI_2 = NetUtil.newURI("http://mozilla.org/");
 
-const TEST_PRINCIPAL_1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_1);
-const TEST_PRINCIPAL_2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_2);
+const TEST_PRINCIPAL_1 =
+  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_1, {});
+const TEST_PRINCIPAL_2 =
+  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_2, {});
 
 // values from DefaultPermissions object
 const PERM_UNKNOWN = 0;
 const PERM_ALLOW = 1;
 const PERM_DENY = 2;
 // cookie specific permissions
 const PERM_FIRST_PARTY_ONLY = 9;
 
--- a/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
+++ b/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
@@ -10,19 +10,19 @@
 // toolkit/devtools/server/tests/mochitest/test_css-logic-...something...html
 // test
 
 const TEST_URI_HTML = TEST_URL_ROOT + "doc_content_stylesheet.html";
 const TEST_URI_XUL = TEST_URL_ROOT + "doc_content_stylesheet.xul";
 const XUL_URI = Cc["@mozilla.org/network/io-service;1"]
                 .getService(Ci.nsIIOService)
                 .newURI(TEST_URI_XUL, null, null);
-const XUL_PRINCIPAL = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(XUL_URI);
+let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                            .getService(Ci.nsIScriptSecurityManager);
+const XUL_PRINCIPAL = ssm.createCodebasePrincipal(XUL_URI, {});
 
 add_task(function*() {
   info("Checking stylesheets on HTML document");
   yield addTab(TEST_URI_HTML);
   let target = getNode("#target");
 
   let {inspector} = yield openRuleView();
   yield selectNode("#target", inspector);
--- a/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
+++ b/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
@@ -990,24 +990,31 @@ PdfStreamConverter.prototype = {
     };
 
     // Keep the URL the same so the browser sees it as the same.
     channel.originalURI = aRequest.URI;
     channel.loadGroup = aRequest.loadGroup;
 
     // We can use resource principal when data is fetched by the chrome
     // e.g. useful for NoScript
-    var securityManager = Cc['@mozilla.org/scriptsecuritymanager;1']
-                          .getService(Ci.nsIScriptSecurityManager);
+    var ssm = Cc['@mozilla.org/scriptsecuritymanager;1']
+                .getService(Ci.nsIScriptSecurityManager);
     var uri = NetUtil.newURI(PDF_VIEWER_WEB_PAGE, null, null);
     // FF16 and below had getCodebasePrincipal, it was replaced by
     // getNoAppCodebasePrincipal (bug 758258).
-    var resourcePrincipal = 'getNoAppCodebasePrincipal' in securityManager ?
-                            securityManager.getNoAppCodebasePrincipal(uri) :
-                            securityManager.getCodebasePrincipal(uri);
+    // FF 43 added createCodebasePrincipal to replace getNoAppCodebasePrincipal
+    // (bug 1165272).
+    var resourcePrincipal
+    if ('createCodebasePrincipal' in ssm) {
+      resourcePrincipal = ssm.createCodebasePrincipal(uri, {});
+    } else if ('getNoAppCodebasePrincipal' in ssm) {
+      resourcePrincipal = ssm.getNoAppCodebasePrincipal(uri)
+    } else {
+      resourcePrincipal = ssm.getCodebasePrincipal(uri);
+    }
     aRequest.owner = resourcePrincipal;
     channel.asyncOpen(proxy, aContext);
   },
 
   // nsIRequestObserver::onStopRequest
   onStopRequest: function(aRequest, aContext, aStatusCode) {
     if (!this.dataListener) {
       // Do nothing
--- a/browser/extensions/shumway/chrome/SpecialStorage.jsm
+++ b/browser/extensions/shumway/chrome/SpecialStorage.jsm
@@ -17,19 +17,19 @@
 var EXPORTED_SYMBOLS = ['SpecialStorageUtils'];
 
 Components.utils.import('resource://gre/modules/Services.jsm');
 
 var SpecialStorageUtils = {
   createWrappedSpecialStorage: function (sandbox, swfUrl, privateBrowsing) {
     // Creating internal localStorage object based on url and privateBrowsing setting.
     var uri = Services.io.newURI(swfUrl, null, null);
-    var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                              .getService(Components.interfaces.nsIScriptSecurityManager)
-                              .getNoAppCodebasePrincipal(uri);
+    var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                                .getService(Components.interfaces.nsIScriptSecurityManager);
+    var principal = ssm.createCodebasePrincipal(uri, {});
     var dsm = Components.classes["@mozilla.org/dom/localStorage-manager;1"]
                                 .getService(Components.interfaces.nsIDOMStorageManager);
     var storage = dsm.createStorage(null, principal, privateBrowsing);
 
     // We will return object created in the sandbox/content, with some exposed
     // properties/methods, so we can send data between wrapped object and
     // and sandbox/content.
     var wrapper = Components.utils.cloneInto({
--- a/browser/modules/Feeds.jsm
+++ b/browser/modules/Feeds.jsm
@@ -61,17 +61,18 @@ this.Feeds = {
     if (!aIsFeed) {
       aIsFeed = (type == "application/rss+xml" ||
                  type == "application/atom+xml");
     }
 
     if (aIsFeed) {
       // re-create the principal as it may be a CPOW.
       let principalURI = BrowserUtils.makeURIFromCPOW(aPrincipal.URI);
-      let principalToCheck = Services.scriptSecurityManager.getNoAppCodebasePrincipal(principalURI);
+      let principalToCheck =
+        Services.scriptSecurityManager.createCodebasePrincipal(principalURI, {});
       try {
         BrowserUtils.urlSecurityCheck(aLink.href, principalToCheck,
                                       Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
         return type || "application/rss+xml";
       }
       catch(ex) {
       }
     }
--- a/caps/nsIScriptSecurityManager.idl
+++ b/caps/nsIScriptSecurityManager.idl
@@ -21,17 +21,17 @@ class DomainPolicyClone;
 }
 }
 %}
 
 [ptr] native JSContextPtr(JSContext);
 [ptr] native JSObjectPtr(JSObject);
 [ptr] native DomainPolicyClonePtr(mozilla::dom::DomainPolicyClone);
 
-[scriptable, uuid(73f92674-f59d-4c9b-a9b5-f7a3ae8ffa98)]
+[scriptable, uuid(6e8a4d1e-d9c6-4d86-bf53-d73f58f36148)]
 interface nsIScriptSecurityManager : nsISupports
 {
     /**
      * For each of these hooks returning NS_OK means 'let the action continue'.
      * Returning an error code means 'veto the action'. XPConnect will return
      * false to the js engine if the action is vetoed. The implementor of this
      * interface is responsible for setting a JS exception into the JSContext
      * if that is appropriate.
@@ -172,18 +172,20 @@ interface nsIScriptSecurityManager : nsI
      */
     nsIPrincipal getDocShellCodebasePrincipal(in nsIURI uri,
                                               in nsIDocShell docShell);
 
     /**
      * Returns a principal with that has the same origin as uri and is not part
      * of an appliction.
      * The returned principal will have appId = NO_APP_ID.
+     *
+     * @deprecated use createCodebasePrincipal instead.
      */
-    nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
+    [deprecated] nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
 
     /**
      * Legacy method for getting a principal with no origin attributes.
      *
      * @deprecated use createCodebasePrincipal instead.
      */
     [deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri);
 
--- a/dom/cache/test/mochitest/test_chrome_constructor.html
+++ b/dom/cache/test/mochitest/test_chrome_constructor.html
@@ -15,17 +15,17 @@
 
   SpecialPowers.pushPrefEnv({
     "set": [["dom.caches.enabled", true],
             ["dom.caches.testing.enabled", true]],
   }, function() {
     // attach to a different origin's CacheStorage
     var url = 'http://example.com/';
     var uri = Services.io.newURI(url, null, null);
-    var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+    var principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
     var storage = new CacheStorage('content', principal);
 
     // verify we can use the other origin's CacheStorage as normal
     var req = new Request('http://example.com/index.html');
     var res = new Response('hello world');
     var cache;
     storage.open('foo').then(function(c) {
       cache = c;
--- a/dom/indexedDB/test/head.js
+++ b/dom/indexedDB/test/head.js
@@ -111,45 +111,45 @@ function dispatchEvent(eventName)
 
 function setPermission(url, permission)
 {
   const nsIPermissionManager = Components.interfaces.nsIPermissionManager;
 
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   Components.classes["@mozilla.org/permissionmanager;1"]
             .getService(nsIPermissionManager)
             .addFromPrincipal(principal, permission,
                               nsIPermissionManager.ALLOW_ACTION);
 }
 
 function removePermission(url, permission)
 {
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   Components.classes["@mozilla.org/permissionmanager;1"]
             .getService(Components.interfaces.nsIPermissionManager)
             .removeFromPrincipal(principal, permission);
 }
 
 function getPermission(url, permission)
 {
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   return Components.classes["@mozilla.org/permissionmanager;1"]
                    .getService(Components.interfaces.nsIPermissionManager)
                    .testPermissionFromPrincipal(principal, permission);
 }
--- a/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
+++ b/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
@@ -85,24 +85,20 @@ function testSteps()
 
   let ssm = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                          .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
 
   function openDatabase(params) {
     let request;
     if ("url" in params) {
       let uri = ios.newURI(params.url, null, null);
-      let principal;
-      if ("appId" in params) {
-        principal =
-          ssm.createCodebasePrincipal(uri, {appId: params.appId,
-                                            inBrowser: params.inMozBrowser});
-      } else {
-        principal = ssm.getNoAppCodebasePrincipal(uri);
-      }
+      let principal =
+        ssm.createCodebasePrincipal(uri,
+                                    {appId: params.appId || ssm.NO_APPID,
+                                     inBrowser: params.inMozBrowser});
       if ("dbVersion" in params) {
         request = indexedDB.openForPrincipal(principal, params.dbName,
                                              params.dbVersion);
       } else {
         request = indexedDB.openForPrincipal(principal, params.dbName,
                                              params.dbOptions);
       }
     } else {
--- a/dom/indexedDB/test/unit/test_idle_maintenance.js
+++ b/dom/indexedDB/test/unit/test_idle_maintenance.js
@@ -5,19 +5,19 @@
 
 var testGenerator = testSteps();
 
 function testSteps()
 {
   let uri = Cc["@mozilla.org/network/io-service;1"].
             getService(Ci.nsIIOService).
             newURI("https://www.example.com", null, null);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
-                  getService(Ci.nsIScriptSecurityManager).
-                  getNoAppCodebasePrincipal(uri);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   info("Setting permissions");
 
   let permMgr =
     Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
   permMgr.add(uri, "indexedDB", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   info("Setting idle preferences to prevent real 'idle-daily' notification");
--- a/dom/indexedDB/test/unit/test_metadataRestore.js
+++ b/dom/indexedDB/test/unit/test_metadataRestore.js
@@ -62,17 +62,17 @@ function testSteps()
 
   let ssm = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                          .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
 
   function openDatabase(params) {
     let request;
     if ("url" in params) {
       let uri = ios.newURI(params.url, null, null);
-      let principal = ssm.getNoAppCodebasePrincipal(uri);
+      let principal = ssm.createCodebasePrincipal(uri, {});
       request = indexedDB.openForPrincipal(principal, params.dbName,
                                            params.dbOptions);
     } else {
       request = indexedDB.open(params.dbName, params.dbOptions);
     }
     return request;
   }
 
--- a/dom/indexedDB/test/unit/test_open_for_principal.js
+++ b/dom/indexedDB/test/unit/test_open_for_principal.js
@@ -43,19 +43,19 @@ function testSteps()
   request.onsuccess = grabEventAndContinueHandler;
   event = yield undefined;
 
   is(event.target.result, data.key, "Got correct key");
 
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI("http://appdata.example.com", null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                     .getService(Components.interfaces.nsIScriptSecurityManager)
-                     .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Components.interfaces.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   request = indexedDB.openForPrincipal(principal, name, 1);
   request.onerror = errorHandler;
   request.onupgradeneeded = grabEventAndContinueHandler;
   request.onsuccess = grabEventAndContinueHandler;
   event = yield undefined;
 
   is(event.type, "upgradeneeded", "Got correct event type");
--- a/dom/indexedDB/test/unit/test_temporary_storage.js
+++ b/dom/indexedDB/test/unit/test_temporary_storage.js
@@ -29,19 +29,19 @@ function testSteps()
   function getSpec(index) {
     return "http://foo" + index + ".com";
   }
 
   function getPrincipal(url) {
     let uri = Cc["@mozilla.org/network/io-service;1"]
                 .getService(Ci.nsIIOService)
                 .newURI(url, null, null);
-    return Cc["@mozilla.org/scriptsecuritymanager;1"]
-             .getService(Ci.nsIScriptSecurityManager)
-             .getNoAppCodebasePrincipal(uri);
+    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                .getService(Ci.nsIScriptSecurityManager);
+    return ssm.createCodebasePrincipal(uri, {});
   }
 
   for (let temporary of [true, false]) {
     info("Testing '" + (temporary ? "temporary" : "default") + "' storage");
 
     setLimit(tempStorageLimitKB);
 
     clearAllDatabases(continueToNextStepSync);
--- a/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
+++ b/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
@@ -22,19 +22,19 @@ function make_uri(url) {
   var ios = Cc["@mozilla.org/network/io-service;1"].
             getService(Ci.nsIIOService);
   return ios.newURI(url, null, null);
 }
 
 // Ensure "fullscreen" permissions are not present on the test URI.
 var pm = Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
 var uri = make_uri("http://mochi.test:8888");
-var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                  .getService(Ci.nsIScriptSecurityManager)
-                  .getNoAppCodebasePrincipal(uri);
+var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                            .getService(Ci.nsIScriptSecurityManager);
+var principal = ssm.createCodebasePrincipal(uri, {});
 pm.removeFromPrincipal(principal, "fullscreen");
 
 SpecialPowers.pushPrefEnv({"set": [
   ['full-screen-api.enabled', true],
   ['full-screen-api.allow-trusted-requests-only', false],
   ['full-screen-api.transition-duration.enter', '0 0'],
   ['full-screen-api.transition-duration.leave', '0 0']
 ]}, setup);
--- a/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
+++ b/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
@@ -13,21 +13,21 @@ function startTest()
   var ios = Components.classes["@mozilla.org/network/io-service;1"]
     .getService(Components.interfaces.nsIIOService);
   var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
     .getService(Components.interfaces.nsIScriptSecurityManager);
   var dsm = Components.classes["@mozilla.org/dom/localStorage-manager;1"]
     .getService(Components.interfaces.nsIDOMStorageManager);
 
   var uri = ios.newURI(url, "", null);
-  var principal = ssm.getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
   var storage = dsm.createStorage(window, principal, "");
-  
+
   storage.setItem("chromekey", "chromevalue");
-  
+
   var aframe = document.getElementById("aframe");
   aframe.onload = function()
   {
     is(storage.getItem("chromekey"), "chromevalue");
     is(aframe.contentDocument.getElementById("data").innerHTML, "chromevalue");
     SimpleTest.finish();
   }
   aframe.src = "http://example.com/tests/dom/tests/mochitest/localstorage/frameChromeSlave.html";  
--- a/extensions/cookie/nsPermission.cpp
+++ b/extensions/cookie/nsPermission.cpp
@@ -2,17 +2,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsPermission.h"
 #include "nsContentUtils.h"
 #include "nsIClassInfoImpl.h"
 #include "nsIEffectiveTLDService.h"
-#include "nsIScriptSecurityManager.h"
 #include "mozilla/BasePrincipal.h"
 
 // nsPermission Implementation
 
 NS_IMPL_CLASSINFO(nsPermission, nullptr, 0, {0})
 NS_IMPL_ISUPPORTS_CI(nsPermission, nsIPermission)
 
 nsPermission::nsPermission(nsIPrincipal*    aPrincipal,
@@ -163,17 +162,14 @@ nsPermission::Matches(nsIPrincipal* aPri
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPermission::MatchesURI(nsIURI* aURI, bool aExactHost, bool* aMatches)
 {
   NS_ENSURE_ARG_POINTER(aURI);
 
-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
-
-  nsCOMPtr<nsIPrincipal> principal;
-  nsresult rv = secMan->GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
-  NS_ENSURE_SUCCESS(rv, rv);
+  mozilla::OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
 
   return Matches(principal, aExactHost, aMatches);
 }
--- a/extensions/cookie/nsPermissionManager.cpp
+++ b/extensions/cookie/nsPermissionManager.cpp
@@ -133,20 +133,22 @@ GetPrincipal(nsIURI* aURI, uint32_t aApp
 
   principal.forget(aPrincipal);
   return NS_OK;
 }
 
 nsresult
 GetPrincipal(nsIURI* aURI, nsIPrincipal** aPrincipal)
 {
-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
-
-  return secMan->GetNoAppCodebasePrincipal(aURI, aPrincipal);
+  mozilla::OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+
+  principal.forget(aPrincipal);
+  return NS_OK;
 }
 
 nsCString
 GetNextSubDomainForHost(const nsACString& aHost)
 {
   nsCOMPtr<nsIEffectiveTLDService> tldService =
     do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
   if (!tldService) {
--- a/extensions/cookie/test/unit/test_permmanager_defaults.js
+++ b/extensions/cookie/test/unit/test_permmanager_defaults.js
@@ -46,20 +46,21 @@ add_task(function* do_test() {
   // Set the preference used by the permission manager so the file is read.
   Services.prefs.setCharPref("permissions.manager.defaultsUrl", "file://" + file.path);
 
   // initialize the permission manager service - it will read that default.
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
 
   // test the default permission was applied.
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN);
-  let principalHttps = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_HTTPS);
-  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_2);
-  let principal3 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_3);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, {});
+  let principalHttps = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_HTTPS, {});
+  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_2, {});
+  let principal3 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, {});
+
   let attrs = {appId: 1000, inBrowser: true};
   let principal4 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, attrs);
   let principal5 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, attrs);
 
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principal, TEST_PERMISSION));
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principalHttps, TEST_PERMISSION));
@@ -218,17 +219,17 @@ function checkCapabilityViaDB(expected, 
   do_check();
   return deferred.promise;
 }
 
 // use the DB to find the requested permission.   Returns the permission
 // value (ie, the "capability" in nsIPermission parlance) or null if it can't
 // be found.
 function findCapabilityViaDB(origin = TEST_ORIGIN, type = TEST_PERMISSION) {
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(origin);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(origin, {});
   let originStr = principal.origin;
 
   let file = Services.dirsvc.get("ProfD", Ci.nsIFile);
   file.append("permissions.sqlite");
 
   let storage = Cc["@mozilla.org/storage/service;1"]
                   .getService(Ci.mozIStorageService);
 
--- a/extensions/cookie/test/unit/test_permmanager_expiration.js
+++ b/extensions/cookie/test/unit/test_permmanager_expiration.js
@@ -16,17 +16,17 @@ function continue_test()
 }
 
 function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
   let permURI = NetUtil.newURI("http://example.com");
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(permURI, {});
 
   let now = Number(Date.now());
 
   // add a permission with *now* expiration
   pm.addFromPrincipal(principal, "test/expiration-perm-exp", 1, pm.EXPIRE_TIME, now);
   pm.addFromPrincipal(principal, "test/expiration-session-exp", 1, pm.EXPIRE_SESSION, now);
 
   // add a permission with future expiration (100 milliseconds)
--- a/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
+++ b/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
@@ -1,15 +1,16 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
-function getPrincipalFromURI(uri) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
+function getPrincipalFromURI(aURI) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI(aURI);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function getSystemPrincipal() {
   return Cc["@mozilla.org/scriptsecuritymanager;1"]
            .getService(Ci.nsIScriptSecurityManager)
            .getSystemPrincipal();
 }
 
--- a/extensions/cookie/test/unit/test_permmanager_idn.js
+++ b/extensions/cookie/test/unit/test_permmanager_idn.js
@@ -1,15 +1,16 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 function getPrincipalFromDomain(aDomain) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI("http://" + aDomain));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://" + aDomain);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   let profile = do_get_profile();
   let pm = Services.perms;
   let perm = 'test-idn';
 
   // We create three principal linked to IDN.
@@ -40,9 +41,9 @@ function run_test() {
   do_check_eq(pm.testPermissionFromPrincipal(punyTldPrincipal, perm), pm.ALLOW_ACTION);
 
   // However, those two principals shouldn't be allowed because they are like
   // the IDN but without the UT8-8 characters.
   let witnessPrincipal = getPrincipalFromDomain("foo.com");
   do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
   witnessPrincipal = getPrincipalFromDomain("foo.bar.com");
   do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
-}
\ No newline at end of file
+}
--- a/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
+++ b/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
@@ -129,13 +129,14 @@ function run_test() {
     let thisModTime = select.getInt64(0);
     do_check_true(thisModTime == 0, "new modifiedTime field is correct");
     numMigrated += 1;
   }
   // check we found at least 1 record that was migrated.
   do_check_true(numMigrated > 0, "we found at least 1 record that was migrated");
 
   // This permission should always be there.
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.org"));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://example.org");
+  let principal = ssm.createCodebasePrincipal(uri, {});
   do_check_eq(pm.testPermissionFromPrincipal(principal, 'test-load-invalid-entries'), Ci.nsIPermissionManager.ALLOW_ACTION);
 }
--- a/extensions/cookie/test/unit/test_permmanager_local_files.js
+++ b/extensions/cookie/test/unit/test_permmanager_local_files.js
@@ -1,16 +1,17 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 // Test that permissions work for file:// URIs (aka local files).
 
 function getPrincipalFromURIString(uriStr)
 {
-  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(NetUtil.newURI(uriStr));
+  let uri = NetUtil.newURI(uriStr);
+  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   let pm = Services.perms;
 
   // If we add a permission to a file:// URI, the test should return true.
   let principal = getPrincipalFromURIString("file:///foo/bar");
   pm.addFromPrincipal(principal, "test/local-files", pm.ALLOW_ACTION, 0, 0);
--- a/extensions/cookie/test/unit/test_permmanager_matches.js
+++ b/extensions/cookie/test/unit/test_permmanager_matches.js
@@ -33,22 +33,22 @@ function run_test() {
   // Add some permissions
   let uri0 = NetUtil.newURI("http://google.com/search?q=foo#hashtag", null, null);
   let uri1 = NetUtil.newURI("http://hangouts.google.com/subdir", null, null);
   let uri2 = NetUtil.newURI("http://google.org/", null, null);
   let uri3 = NetUtil.newURI("https://google.com/some/random/subdirectory", null, null);
   let uri4 = NetUtil.newURI("https://hangouts.google.com/#!/hangout", null, null);
   let uri5 = NetUtil.newURI("http://google.com:8096/", null, null);
 
-  let uri0_n_n = secMan.getNoAppCodebasePrincipal(uri0);
-  let uri1_n_n = secMan.getNoAppCodebasePrincipal(uri1);
-  let uri2_n_n = secMan.getNoAppCodebasePrincipal(uri2);
-  let uri3_n_n = secMan.getNoAppCodebasePrincipal(uri3);
-  let uri4_n_n = secMan.getNoAppCodebasePrincipal(uri4);
-  let uri5_n_n = secMan.getNoAppCodebasePrincipal(uri5);
+  let uri0_n_n = secMan.createCodebasePrincipal(uri0, {});
+  let uri1_n_n = secMan.createCodebasePrincipal(uri1, {});
+  let uri2_n_n = secMan.createCodebasePrincipal(uri2, {});
+  let uri3_n_n = secMan.createCodebasePrincipal(uri3, {});
+  let uri4_n_n = secMan.createCodebasePrincipal(uri4, {});
+  let uri5_n_n = secMan.createCodebasePrincipal(uri5, {});
 
   let attrs = {appId: 1000};
   let uri0_1000_n = secMan.createCodebasePrincipal(uri0, attrs);
   let uri1_1000_n = secMan.createCodebasePrincipal(uri1, attrs);
   let uri2_1000_n = secMan.createCodebasePrincipal(uri2, attrs);
   let uri3_1000_n = secMan.createCodebasePrincipal(uri3, attrs);
   let uri4_1000_n = secMan.createCodebasePrincipal(uri4, attrs);
   let uri5_1000_n = secMan.createCodebasePrincipal(uri5, attrs);
--- a/extensions/cookie/test/unit/test_permmanager_matchesuri.js
+++ b/extensions/cookie/test/unit/test_permmanager_matchesuri.js
@@ -26,19 +26,18 @@ function mk_permission(uri, isAppPermiss
   let pm = Cc["@mozilla.org/permissionmanager;1"].
         getService(Ci.nsIPermissionManager);
 
   let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
         .getService(Ci.nsIScriptSecurityManager);
 
   // Get the permission from the principal!
   let attrs = {appId: 1000};
-  let principal = isAppPermission ?
-        secMan.createCodebasePrincipal(uri, attrs) :
-        secMan.getNoAppCodebasePrincipal(uri);
+  let principal =
+    secMan.createCodebasePrincipal(uri, isAppPermission ? attrs : {});
 
   pm.addFromPrincipal(principal, "test/matchesuri", pm.ALLOW_ACTION);
   let permission = pm.getPermissionObject(principal, "test/matchesuri", true);
 
   return permission;
 }
 
 function run_test() {
--- a/extensions/cookie/test/unit/test_permmanager_notifications.js
+++ b/extensions/cookie/test/unit/test_permmanager_notifications.js
@@ -18,19 +18,20 @@ function continue_test()
 
 function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
   let now = Number(Date.now());
   let permType = "test/expiration-perm";
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.com"));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://example.com");
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   let observer = new permission_observer(test_generator, now, permType);
   Services.obs.addObserver(observer, "perm-changed", false);
 
   // Add a permission, to test the 'add' notification. Note that we use
   // do_execute_soon() so that we can use our generator to continue the test
   // where we left off.
   do_execute_soon(function() {
--- a/extensions/cookie/test/unit/test_permmanager_removesince.js
+++ b/extensions/cookie/test/unit/test_permmanager_removesince.js
@@ -19,20 +19,20 @@ function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
 
   // to help with testing edge-cases, we will arrange for .removeAllSince to
   // remove *all* permissions from one principal and one permission from another.
   let permURI1 = NetUtil.newURI("http://example.com");
-  let principal1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI1);
+  let principal1 = Services.scriptSecurityManager.createCodebasePrincipal(permURI1, {});
 
   let permURI2 = NetUtil.newURI("http://example.org");
-  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI2);
+  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(permURI2, {});
 
   // add a permission now - this isn't going to be removed.
   pm.addFromPrincipal(principal1, "test/remove-since", 1);
 
   // sleep briefly, then record the time - we'll remove all since then.
   do_timeout(20, continue_test);
   yield;
 
--- a/extensions/cookie/test/unit/test_permmanager_subdomains.js
+++ b/extensions/cookie/test/unit/test_permmanager_subdomains.js
@@ -1,15 +1,16 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
-function getPrincipalFromURI(uri) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
+function getPrincipalFromURI(aURI) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI(aURI);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   var pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
 
   // Adds a permission to a sub-domain. Checks if it is working.
   let sub1Principal = getPrincipalFromURI("http://sub1.example.com");
@@ -48,9 +49,9 @@ function run_test() {
   // A sanity check that the previous implementation wasn't passing...
   let crazyPrincipal = getPrincipalFromURI("http://com");
   pm.addFromPrincipal(crazyPrincipal, "test/subdomains", pm.ALLOW_ACTION, 0, 0);
   do_check_eq(pm.testPermissionFromPrincipal(crazyPrincipal, "test/subdomains"),  pm.ALLOW_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(mainPrincipal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(sub1Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(sub2Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(subsubPrincipal, "test/subdomains"), pm.UNKNOWN_ACTION);
-}
\ No newline at end of file
+}
--- a/extensions/cookie/test/unit_ipc/test_child.js
+++ b/extensions/cookie/test/unit_ipc/test_child.js
@@ -7,19 +7,19 @@ var gIoService = Components.classes["@mo
 
 function isParentProcess() {
     let appInfo = Cc["@mozilla.org/xre/app-info;1"];
     return (!appInfo || appInfo.getService(Ci.nsIXULRuntime).processType == Ci.nsIXULRuntime.PROCESS_TYPE_DEFAULT);
 }
 
 function getPrincipalForURI(aURI) {
   var uri =  gIoService.newURI(aURI, null, null);
-  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                   .getService(Ci.nsIScriptSecurityManager)
-                   .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   if (!isParentProcess()) {
     const Ci = Components.interfaces;
     const Cc = Components.classes;
 
     var mM = Cc["@mozilla.org/childprocessmessagemanager;1"].
--- a/extensions/cookie/test/unit_ipc/test_parent.js
+++ b/extensions/cookie/test/unit_ipc/test_parent.js
@@ -7,19 +7,19 @@ var gIoService = Components.classes["@mo
 
 function isParentProcess() {
     let appInfo = Cc["@mozilla.org/xre/app-info;1"];
     return (!appInfo || appInfo.getService(Ci.nsIXULRuntime).processType == Ci.nsIXULRuntime.PROCESS_TYPE_DEFAULT);
 }
 
 function getPrincipalForURI(aURI) {
   var uri = gIoService.newURI(aURI, null, null);
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   if (isParentProcess()) {
     var pm = Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
 
     // Permissions created before the child is present
     pm.addFromPrincipal(getPrincipalForURI("http://mozilla.org"), "cookie1", pm.ALLOW_ACTION, pm.EXPIRE_NEVER, 0);
--- a/gfx/thebes/gfxSVGGlyphs.cpp
+++ b/gfx/thebes/gfxSVGGlyphs.cpp
@@ -14,20 +14,20 @@
 #include "nsIStreamListener.h"
 #include "nsServiceManagerUtils.h"
 #include "nsIPresShell.h"
 #include "nsNetUtil.h"
 #include "nsIInputStream.h"
 #include "nsStringStream.h"
 #include "nsStreamUtils.h"
 #include "nsIPrincipal.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/LoadInfo.h"
 #include "nsSVGUtils.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsHostObjectProtocolHandler.h"
 #include "nsContentUtils.h"
 #include "gfxFont.h"
 #include "nsSMILAnimationController.h"
 #include "gfxContext.h"
 #include "gfxColor.h"
 #include "harfbuzz/hb.h"
 
@@ -343,19 +343,20 @@ gfxSVGGlyphsDocument::ParseDocument(cons
     nsCOMPtr<nsIURI> uri;
     nsHostObjectProtocolHandler::GenerateURIString(NS_LITERAL_CSTRING(FONTTABLEURI_SCHEME),
                                                    nullptr,
                                                    mSVGGlyphsDocumentURI);
  
     rv = NS_NewURI(getter_AddRefs(uri), mSVGGlyphsDocumentURI);
     NS_ENSURE_SUCCESS(rv, rv);
 
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+    NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
 
     nsCOMPtr<nsIDOMDocument> domDoc;
     rv = NS_NewDOMDocument(getter_AddRefs(domDoc),
                            EmptyString(),   // aNamespaceURI
                            EmptyString(),   // aQualifiedName
                            nullptr,          // aDoctype
                            uri, uri, principal,
                            false,           // aLoadedAsData
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@@ -11,17 +11,16 @@
 #include "AccessCheck.h"
 #include "jsfriendapi.h"
 #include "js/Proxy.h"
 #include "js/StructuredClone.h"
 #include "nsContentUtils.h"
 #include "nsGlobalWindow.h"
 #include "nsIScriptContext.h"
 #include "nsIScriptObjectPrincipal.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsIURI.h"
 #include "nsJSUtils.h"
 #include "nsNetUtil.h"
 #include "nsNullPrincipal.h"
 #include "nsPrincipal.h"
 #include "nsXMLHttpRequest.h"
 #include "WrapperFactory.h"
 #include "xpcprivate.h"
@@ -1188,25 +1187,25 @@ ParsePrincipal(JSContext* cx, HandleStri
     nsAutoJSString codebaseStr;
     NS_ENSURE_TRUE(codebaseStr.init(cx, codebase), false);
     nsresult rv = NS_NewURI(getter_AddRefs(uri), codebaseStr);
     if (NS_FAILED(rv)) {
         JS_ReportError(cx, "Creating URI from string failed");
         return false;
     }
 
-    nsCOMPtr<nsIScriptSecurityManager> secman =
-        do_GetService(kScriptSecurityManagerContractID);
-    NS_ENSURE_TRUE(secman, false);
-
     // We could allow passing in the app-id and browser-element info to the
     // sandbox constructor. But creating a sandbox based on a string is a
     // deprecated API so no need to add features to it.
-    rv = secman->GetNoAppCodebasePrincipal(uri, principal);
-    if (NS_FAILED(rv) || !*principal) {
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> prin =
+        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+    prin.forget(principal);
+
+    if (!*principal) {
         JS_ReportError(cx, "Creating Principal from URI failed");
         return false;
     }
     return true;
 }
 
 /*
  * For sandbox constructor the first argument can be a principal object or
--- a/netwerk/test/unit/test_auth_dialog_permission.js
+++ b/netwerk/test/unit/test_auth_dialog_permission.js
@@ -106,21 +106,20 @@ Requestor.prototype = {
 
 function make_uri(url) {
   var ios = Cc["@mozilla.org/network/io-service;1"].
               getService(Ci.nsIIOService);
   return ios.newURI(url, null, null);
 }
 
 function makeChan(loadingUrl, url, contentPolicy) {
-  var loadingUri = make_uri(loadingUrl);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(loadingUri);
-
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  var uri = make_uri(loadingUrl);
+  var principal = ssm.createCodebasePrincipal(uri, {});
   var ios = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService);
   var chan = ios.newChannel2(url,
                              null,
                              null,
                              null,
                              principal,
                              null,
--- a/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
@@ -67,20 +67,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
@@ -67,20 +67,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
@@ -75,20 +75,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, redirectHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
@@ -75,20 +75,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, redirectHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_request-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_request-error_canceled.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_request-error_passing.js
+++ b/netwerk/test/unit/test_fallback_request-error_passing.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_response-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_response-error_canceled.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, errorHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_response-error_passing.js
+++ b/netwerk/test/unit/test_fallback_response-error_passing.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, errorHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_offlinecache_custom-directory.js
+++ b/netwerk/test/unit/test_offlinecache_custom-directory.js
@@ -98,20 +98,20 @@ function run_test()
   httpServer.start(4444);
 
   var profileDir = do_get_profile();
   var customDir = profileDir.clone();
   customDir.append("customOfflineCacheDir" + Math.random());
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:4444");
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_packaged_app_service.js
+++ b/netwerk/test/unit/test_packaged_app_service.js
@@ -55,20 +55,20 @@ function packagedAppContentHandler(metad
   if (packagedAppRequestsMade == 3) {
     // The third request returns a 200 OK response with a slightly different content
     body = body.replace(/\.\.\./g, 'xxx');
   }
   response.bodyOutputStream.write(body, body.length);
 }
 
 function getPrincipal(url) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   let uri = createURI(url);
-  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-         .getService(Ci.nsIScriptSecurityManager)
-         .getNoAppCodebasePrincipal(uri);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 // The package content
 // getData formats it as described at http://www.w3.org/TR/web-packaging/#streamable-package-format
 var testData = {
   content: [
    { headers: ["Content-Location: /index.html", "Content-Type: text/html"], data: "<html>\r\n  <head>\r\n    <script src=\"/scripts/app.js\"></script>\r\n    ...\r\n  </head>\r\n  ...\r\n</html>\r\n", type: "text/html" },
    { headers: ["Content-Location: /scripts/app.js", "Content-Type: text/javascript"], data: "module Math from '/scripts/helpers/math.js';\r\n...\r\n", type: "text/javascript" },
--- a/netwerk/test/unit/test_packaged_app_service_paths.js
+++ b/netwerk/test/unit/test_packaged_app_service_paths.js
@@ -7,20 +7,20 @@ function packagedAppContentHandler(metad
 {
   response.setHeader("Content-Type", 'application/package');
   var body = testData.getData();
   response.bodyOutputStream.write(body, body.length);
   gRequestNo++;
 }
 
 function getPrincipal(url) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   let uri = createURI(url);
-  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-         .getService(Ci.nsIScriptSecurityManager)
-         .getNoAppCodebasePrincipal(uri);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 var subresourcePaths = [
   [ "/index.html", "index.html" ],
   [ "index.html",  "index.html" ],
   [ "/../../index.html", "index.html" ],
   [ "../../index.html", "index.html" ],
   [ "/hello/./.././index.html", "index.html" ],
--- a/netwerk/test/unit/test_permmgr.js
+++ b/netwerk/test/unit/test_permmgr.js
@@ -41,25 +41,25 @@ function run_test() {
 
   // nsIPermissionManager implementation is an extension; don't fail if it's not there
   if (!pm)
     return;
 
   // put a few hosts in
   for (var i = 0; i < hosts.length; ++i) {
     let uri = ioService.newURI(hosts[i][0], null, null);
-    let principal = secMan.getNoAppCodebasePrincipal(uri);
+    let principal = secMan.createCodebasePrincipal(uri, {});
 
     pm.addFromPrincipal(principal, hosts[i][1], hosts[i][2]);
   }
 
   // test the result
   for (var i = 0; i < results.length; ++i) {
     let uri = ioService.newURI(results[i][0], null, null);
-    let principal = secMan.getNoAppCodebasePrincipal(uri);
+    let principal = secMan.createCodebasePrincipal(uri, {});
 
     do_check_eq(pm.testPermissionFromPrincipal(principal, results[i][1]), results[i][2]);
     do_check_eq(pm.testExactPermissionFromPrincipal(principal, results[i][1]), results[i][3]);
   }
 
   // test the enumerator ...
   var j = 0;
   var perms = new Array();
--- a/services/sync/Weave.js
+++ b/services/sync/Weave.js
@@ -183,16 +183,17 @@ AboutWeaveLog.prototype = {
     let channel = Services.io.newChannelFromURIWithLoadInfo(uri, aLoadInfo);
 
     channel.originalURI = aURI;
 
     // Ensure that the about page has the same privileges as a regular directory
     // view. That way links to files can be opened.
     let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
                 .getService(Ci.nsIScriptSecurityManager);
-    let principal = ssm.getNoAppCodebasePrincipal(uri);
+    let principal = ssm.createCodebasePrincipal(uri, {});
+
     channel.owner = principal;
     return channel;
   }
 };
 
 const components = [WeaveService, AboutWeaveLog];
 this.NSGetFactory = XPCOMUtils.generateNSGetFactory(components);
--- a/testing/mochitest/tests/Harness_sanity/test_bug816847.html
+++ b/testing/mochitest/tests/Harness_sanity/test_bug816847.html
@@ -29,24 +29,24 @@ const appsSvc = Cc["@mozilla.org/AppsSer
                   .getService(Ci.nsIAppsService)
 
 const manifest = "https://example.com/manifest.webapp";
 const allow = Ci.nsIPermissionManager.ALLOW_ACTION;
 const unknown = Ci.nsIPermissionManager.UNKNOWN_ACTION;
 const perms = ['network-events', 'geolocation', 'camera', 'alarms']
 
 function createPrincipal(aURI, aIsApp, aIsInBrowserElement) {
-  if(aIsApp) {
+  if (aIsApp) {
     var app = appsSvc.getAppByManifestURL(aURI);
     return app.principal;
   }
 
   var uri = Services.io.newURI(aURI, null, null);
   return Services.scriptSecurityManager
-                 .getNoAppCodebasePrincipal(uri);
+                 .createCodebasePrincipal(uri, {});
 }
 
 // test addPermission and removePermission
 function starttest(){
   var app = appsSvc.getAppByManifestURL(manifest);
   ok(app != null, "Got an app "); 
 
   var origin = app.origin 
--- a/toolkit/components/downloads/ApplicationReputation.cpp
+++ b/toolkit/components/downloads/ApplicationReputation.cpp
@@ -10,29 +10,29 @@
 #include "csd.pb.h"
 
 #include "nsIArray.h"
 #include "nsIApplicationReputation.h"
 #include "nsIChannel.h"
 #include "nsIHttpChannel.h"
 #include "nsIIOService.h"
 #include "nsIPrefService.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsISimpleEnumerator.h"
 #include "nsIStreamListener.h"
 #include "nsIStringStream.h"
 #include "nsITimer.h"
 #include "nsIUploadChannel2.h"
 #include "nsIURI.h"
 #include "nsIURL.h"
 #include "nsIUrlClassifierDBService.h"
 #include "nsIX509Cert.h"
 #include "nsIX509CertDB.h"
 #include "nsIX509CertList.h"
 
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/LoadContext.h"
 
 #include "nsAutoPtr.h"
 #include "nsCOMPtr.h"
@@ -45,16 +45,18 @@
 #include "nsTArray.h"
 #include "nsThreadUtils.h"
 #include "nsXPCOMStrings.h"
 
 #include "nsIContentPolicy.h"
 #include "nsILoadInfo.h"
 #include "nsContentUtils.h"
 
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::Preferences;
 using mozilla::TimeStamp;
 using mozilla::Telemetry::Accumulate;
 using safe_browsing::ClientDownloadRequest;
 using safe_browsing::ClientDownloadRequest_CertificateChain;
 using safe_browsing::ClientDownloadRequest_Resource;
 using safe_browsing::ClientDownloadRequest_SignatureInfo;
 
@@ -288,23 +290,22 @@ PendingDBLookup::LookupSpecInternal(cons
 {
   nsresult rv;
 
   nsCOMPtr<nsIURI> uri;
   nsCOMPtr<nsIIOService> ios = do_GetService(NS_IOSERVICE_CONTRACTID, &rv);
   rv = ios->NewURI(aSpec, nullptr, nullptr, getter_AddRefs(uri));
   NS_ENSURE_SUCCESS(rv, rv);
 
-  nsCOMPtr<nsIPrincipal> principal;
-  nsCOMPtr<nsIScriptSecurityManager> secMan =
-    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = secMan->GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
-  NS_ENSURE_SUCCESS(rv, rv);
+  OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal =
+    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+  if (!principal) {
+    return NS_ERROR_FAILURE;
+  }
 
   // Check local lists to see if the URI has already been whitelisted or
   // blacklisted.
   LOG(("Checking DB service for principal %s [this = %p]", mSpec.get(), this));
   nsCOMPtr<nsIUrlClassifierDBService> dbService =
     do_GetService(NS_URLCLASSIFIERDBSERVICE_CONTRACTID, &rv);
   NS_ENSURE_SUCCESS(rv, rv);
 
--- a/toolkit/components/downloads/test/unit/test_app_rep.js
+++ b/toolkit/components/downloads/test/unit/test_app_rep.js
@@ -312,21 +312,21 @@ add_test(function test_redirect_on_block
                              "http://localhost:4444/download");
   let counts = get_telemetry_counts();
   let listCounts = counts.listCounts;
   listCounts[BLOCK_LIST]++;
   listCounts[ALLOW_LIST]++;
   let secman = Services.scriptSecurityManager;
   let badRedirects = Cc["@mozilla.org/array;1"]
                        .createInstance(Ci.nsIMutableArray);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(exampleURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(exampleURI, {}),
                              false);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(blocklistedURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(blocklistedURI, {}),
                              false);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(whitelistedURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(whitelistedURI, {}),
                              false);
   gAppRep.queryReputation({
     sourceURI: whitelistedURI,
     referrerURI: exampleURI,
     redirects: badRedirects,
     fileSize: 12,
   }, function onComplete(aShouldBlock, aStatus) {
     do_check_eq(Cr.NS_OK, aStatus);
--- a/toolkit/components/places/BookmarkJSONUtils.jsm
+++ b/toolkit/components/places/BookmarkJSONUtils.jsm
@@ -204,17 +204,17 @@ BookmarkImporter.prototype = {
             reject(ex);
           }
         }
       };
 
       let uri = NetUtil.newURI(spec);
       let channel = NetUtil.newChannel({
         uri,
-        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri),
+        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(uri, {}),
         contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
       });
       let streamLoader = Cc["@mozilla.org/network/stream-loader;1"]
                            .createInstance(Ci.nsIStreamLoader);
       streamLoader.init(streamObserver);
       channel.asyncOpen(streamLoader, channel);
     });
   },
--- a/toolkit/components/places/nsLivemarkService.js
+++ b/toolkit/components/places/nsLivemarkService.js
@@ -523,17 +523,17 @@ Livemark.prototype = {
     try {
       // Create a load group for the request.  This will allow us to
       // automatically keep track of redirects, so we can always
       // cancel the channel.
       let loadgroup = Cc["@mozilla.org/network/load-group;1"].
                       createInstance(Ci.nsILoadGroup);
       let channel = NetUtil.newChannel({
         uri: this.feedURI.spec,
-        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(this.feedURI),
+        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(this.feedURI, {}),
         contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
       }).QueryInterface(Ci.nsIHttpChannel);
       channel.loadGroup = loadgroup;
       channel.loadFlags |= Ci.nsIRequest.LOAD_BACKGROUND |
                            Ci.nsIRequest.LOAD_BYPASS_CACHE;
       channel.requestMethod = "GET";
       channel.setRequestHeader("X-Moz", "livebookmarks", false);
 
--- a/toolkit/components/social/SocialService.jsm
+++ b/toolkit/components/social/SocialService.jsm
@@ -148,17 +148,17 @@ XPCOMUtils.defineLazyGetter(SocialServic
     }
   }
   return providers;
 });
 
 function getOriginActivationType(origin) {
   // if this is an about uri, treat it as a directory
   let URI = Services.io.newURI(origin, null, null);
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
   if (Services.scriptSecurityManager.isSystemPrincipal(principal) || origin == "moz-safe-about:home") {
     return "internal";
   }
 
   let directories = Services.prefs.getCharPref("social.directories").split(',');
   if (directories.indexOf(origin) >= 0)
     return "directory";
 
@@ -508,17 +508,17 @@ this.SocialService = {
       if (!data['origin']) {
         Cu.reportError("SocialService.manifestFromData directory service provided manifest without origin.");
         return null;
       }
       installOrigin = data.origin;
     }
     // force/fixup origin
     let URI = Services.io.newURI(installOrigin, null, null);
-    principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
+    principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
     data.origin = principal.origin;
 
     // iconURL and name are required
     let providerHasFeatures = [url for (url of featureURLs) if (data[url])].length > 0;
     if (!providerHasFeatures) {
       Cu.reportError("SocialService.manifestFromData manifest missing required urls.");
       return null;
     }
@@ -709,17 +709,17 @@ function SocialProvider(input) {
   this.shareURL = input.shareURL;
   this.statusURL = input.statusURL;
   this.markURL = input.markURL;
   this.markedIcon = input.markedIcon;
   this.unmarkedIcon = input.unmarkedIcon;
   this.postActivationURL = input.postActivationURL;
   this.origin = input.origin;
   let originUri = Services.io.newURI(input.origin, null, null);
-  this.principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(originUri);
+  this.principal = Services.scriptSecurityManager.createCodebasePrincipal(originUri, {});
   this.ambientNotificationIcons = {};
   this.errorState = null;
   this.frecency = 0;
 
   // this provider has localStorage access in the worker if listed in the
   // whitelist
   let whitelist = Services.prefs.getCharPref("social.whitelist").split(',');
   this.blessed = whitelist.indexOf(this.origin) >= 0;
--- a/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
+++ b/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
@@ -216,17 +216,17 @@ tableData : function(expectedTables, cb)
 
 checkUrls: function(urls, expected, cb)
 {
   // work with a copy of the list.
   urls = urls.slice(0);
   var doLookup = function() {
     if (urls.length > 0) {
       var fragment = urls.shift();
-      var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null));
+      var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null), {});
       dbservice.lookup(principal, allTables,
                                 function(arg) {
                                   do_check_eq(expected, arg);
                                   doLookup();
                                 }, true);
     } else {
       cb();
     }
--- a/toolkit/components/url-classifier/tests/unit/test_dbservice.js
+++ b/toolkit/components/url-classifier/tests/unit/test_dbservice.js
@@ -92,17 +92,17 @@ function testFailure(arg) {
   do_throw(arg);
 }
 
 function checkNoHost()
 {
   // Looking up a no-host uri such as a data: uri should throw an exception.
   var exception;
   try {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null), {});
     dbservice.lookup(principal, allTables);
 
     exception = false;
   } catch(e) {
     exception = true;
   }
   do_check_true(exception);
 
@@ -193,36 +193,37 @@ function unwantedExists(result) {
     checkDone();
   }
 }
 
 function checkState()
 {
   numExpecting = 0;
 
+
   for (var key in phishExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
     dbservice.lookup(principal, allTables, phishExists, true);
     numExpecting++;
   }
 
   for (var key in phishUnexpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
     dbservice.lookup(principal, allTables, phishDoesntExist, true);
     numExpecting++;
   }
 
   for (var key in malwareExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
     dbservice.lookup(principal, allTables, malwareExists, true);
     numExpecting++;
   }
 
   for (var key in unwantedExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
     dbservice.lookup(principal, allTables, unwantedExists, true);
     numExpecting++;
   }
 }
 
 function testSubSuccess(result)
 {
   do_check_eq(result, "1000");
--- a/toolkit/components/url-classifier/tests/unit/test_digest256.js
+++ b/toolkit/components/url-classifier/tests/unit/test_digest256.js
@@ -119,28 +119,28 @@ add_test(function test_update() {
     "goog-downloadwhite-digest256",
     "goog-downloadwhite-digest256;\n",
     "http://localhost:4444/downloads",
     updateSuccess, handleError, handleError);
 });
 
 add_test(function test_url_not_whitelisted() {
   let uri = createURI("http://example.com");
-  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+  let principal = gSecMan.createCodebasePrincipal(uri, {});
   gDbService.lookup(principal, "goog-downloadwhite-digest256",
     function handleEvent(aEvent) {
       // This URI is not on any lists.
       do_check_eq("", aEvent);
       run_next_test();
     });
 });
 
 add_test(function test_url_whitelisted() {
   // Hash of "whitelisted.com/" (canonicalized URL) is:
   // 93CA5F48E15E9861CD37C2D95DB43D23CC6E6DE5C3F8FA6E8BE66F97CC518907
   let uri = createURI("http://whitelisted.com");
-  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+  let principal = gSecMan.createCodebasePrincipal(uri, {});
   gDbService.lookup(principal, "goog-downloadwhite-digest256",
     function handleEvent(aEvent) {
       do_check_eq("goog-downloadwhite-digest256", aEvent);
       run_next_test();
     });
 });
--- a/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
+++ b/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
@@ -180,19 +180,19 @@ function check_login_exists(aHost, aExis
  * @param aURI
  *        The URI to add the test permission for.
  */
 function add_permission(aURI)
 {
   check_permission_exists(aURI, false);
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(aURI);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(aURI, {});
 
   pm.addFromPrincipal(principal, PERMISSION_TYPE, PERMISSION_VALUE);
   check_permission_exists(aURI, true);
 }
 
 /**
  * Checks to see if a permission exists for the given URI.
  *
@@ -200,19 +200,19 @@ function add_permission(aURI)
  *        The URI to check if a permission exists.
  * @param aExists
  *        True if the permission should exist, false otherwise.
  */
 function check_permission_exists(aURI, aExists)
 {
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(aURI);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(aURI, {});
 
   let perm = pm.testExactPermissionFromPrincipal(principal, PERMISSION_TYPE);
   let checker = aExists ? do_check_eq : do_check_neq;
   checker(perm, PERMISSION_VALUE);
 }
 
 /**
  * Adds a content preference for the specified URI.
@@ -549,19 +549,20 @@ function test_cache_cleared()
   ForgetAboutSite.removeDataFromDomain("mozilla.org");
   do_test_pending();
 }
 
 function test_storage_cleared()
 {
   function getStorageForURI(aURI)
   {
-    let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
-                    getService(Ci.nsIScriptSecurityManager).
-                    getNoAppCodebasePrincipal(aURI);
+    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+    let principal = ssm.createCodebasePrincipal(aURI, {});
+
     let dsm = Cc["@mozilla.org/dom/localStorage-manager;1"].
               getService(Ci.nsIDOMStorageManager);
     return dsm.createStorage(null, principal, "");
   }
 
   let s = [
     getStorageForURI(uri("http://mozilla.org")),
     getStorageForURI(uri("http://my.mozilla.org")),
--- a/toolkit/modules/NewTabUtils.jsm
+++ b/toolkit/modules/NewTabUtils.jsm
@@ -20,17 +20,17 @@ XPCOMUtils.defineLazyModuleGetter(this, 
 XPCOMUtils.defineLazyModuleGetter(this, "PageThumbs",
   "resource://gre/modules/PageThumbs.jsm");
 
 XPCOMUtils.defineLazyModuleGetter(this, "BinarySearch",
   "resource://gre/modules/BinarySearch.jsm");
 
 XPCOMUtils.defineLazyGetter(this, "gPrincipal", function () {
   let uri = Services.io.newURI("about:newtab", null, null);
-  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
 });
 
 XPCOMUtils.defineLazyGetter(this, "gCryptoHash", function () {
   return Cc["@mozilla.org/security/hash;1"].createInstance(Ci.nsICryptoHash);
 });
 
 XPCOMUtils.defineLazyGetter(this, "gUnicodeConverter", function () {
   let converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"]
--- a/toolkit/modules/PermissionsUtils.jsm
+++ b/toolkit/modules/PermissionsUtils.jsm
@@ -34,18 +34,18 @@ function importPrefBranch(aPrefBranch, a
         // This preference used to contain a list of hosts. For back-compat
         // reasons, we convert these hosts into http:// and https:// permissions
         // on default ports.
         try {
           let httpURI = Services.io.newURI("http://" + origin, null, null);
           let httpsURI = Services.io.newURI("https://" + origin, null, null);
 
           principals = [
-            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpURI),
-            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpsURI)
+            Services.scriptSecurityManager.createCodebasePrincipal(httpURI, {}),
+            Services.scriptSecurityManager.createCodebasePrincipal(httpsURI, {})
           ];
         } catch (e2) {}
       }
 
       for (let principal of principals) {
         try {
           Services.perms.addFromPrincipal(principal, aPermission, aAction);
         } catch (e) {}
--- a/toolkit/webapps/NativeApp.jsm
+++ b/toolkit/webapps/NativeApp.jsm
@@ -452,20 +452,19 @@ function downloadIcon(aIconURI) {
     });
 #endif
 
     // If not fetching an icon from chrome:// then we should create a
     // NoAppCodeBasePrincipal. Note, that we are still in the process of
     // installing the app, hence app.origin is not available yet and
     // therefore we can not call getAppCodebasePrincipal.
     let principal =
-      aIconURI.schemeIs("chrome") ? Services.scriptSecurityManager
-                                            .getSystemPrincipal()
-                                  : Services.scriptSecurityManager
-                                            .getNoAppCodebasePrincipal(aIconURI);
+      aIconURI.schemeIs("chrome") ?
+        Services.scriptSecurityManager.getSystemPrincipal() :
+        Services.scriptSecurityManager.createCodebasePrincipal(aIconURI, {});
 
     let channel = NetUtil.newChannel({
       uri: aIconURI,
       loadingPrincipal: principal,
       contentPolicyType: Ci.nsIContentPolicy.TYPE_IMAGE});
     let { BadCertHandler } = Cu.import("resource://gre/modules/CertUtils.jsm", {});
     // Pass true to avoid optional redirect-cert-checking behavior.
     channel.notificationCallbacks = new BadCertHandler(true);
--- a/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
+++ b/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
@@ -24,17 +24,16 @@
 #include "nsIDocument.h"
 #include "nsIObserverService.h"
 #include "nsIURL.h"
 #include "nsIWebProgress.h"
 #include "nsIWebNavigation.h"
 #include "nsICryptoHash.h"
 #include "nsIPermissionManager.h"
 #include "nsIPrincipal.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsNetCID.h"
 #include "nsServiceManagerUtils.h"
 #include "nsStreamUtils.h"
 #include "nsThreadUtils.h"
 #include "nsProxyRelease.h"
 #include "mozilla/Logging.h"
 #include "nsIAsyncVerifyRedirectCallback.h"
 #include "mozilla/Preferences.h"
@@ -713,30 +712,30 @@ nsOfflineCacheUpdateService::OfflineAppA
     return OfflineAppPermForPrincipal(aPrincipal, aPrefBranch, false, aAllowed);
 }
 
 NS_IMETHODIMP
 nsOfflineCacheUpdateService::OfflineAppAllowedForURI(nsIURI *aURI,
                                                      nsIPrefBranch *aPrefBranch,
                                                      bool *aAllowed)
 {
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
     return OfflineAppPermForPrincipal(principal, aPrefBranch, false, aAllowed);
 }
 
 nsresult
 nsOfflineCacheUpdateService::OfflineAppPinnedForURI(nsIURI *aDocumentURI,
                                                     nsIPrefBranch *aPrefBranch,
                                                     bool *aPinned)
 {
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(aDocumentURI, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(aDocumentURI, attrs);
     return OfflineAppPermForPrincipal(principal, aPrefBranch, true, aPinned);
 }
 
 NS_IMETHODIMP
 nsOfflineCacheUpdateService::AllowOfflineApp(nsIDOMWindow *aWindow,
                                              nsIPrincipal *aPrincipal)
 {
     nsresult rv;