Bug 1286190 - Get rid of MOZ_CHILD_PERMISSIONS r=bz
authorFabrice Desré <fabrice@mozilla.com>
Tue, 05 Apr 2016 13:34:53 +0200
changeset 304936 11b0b0c476095b24faa650eb0dcb387dd1f61c3d
parent 304894 5df61b441fa4d208272c35aac1f9975c59b5cff8
child 304937 d223b3cdee6645c6c062d3b53027a1ec29a76f20
push id79467
push usercbook@mozilla.com
push dateThu, 14 Jul 2016 09:57:06 +0000
treeherdermozilla-inbound@1983612a169b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1286190
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1286190 - Get rid of MOZ_CHILD_PERMISSIONS r=bz MozReview-Commit-ID: Lx2kozynptu
dom/base/test/mochitest-child-permissions.ini
dom/base/test/moz.build
dom/base/test/test_child_process_shutdown_message.html
dom/base/test/test_messagemanager_assertpermission.html
dom/html/HTMLInputElement.cpp
dom/html/HTMLInputElement.h
dom/indexedDB/ActorsParent.cpp
dom/inputmethod/MozKeyboard.js
dom/inputmethod/mochitest/mochitest.ini
dom/ipc/AppProcessChecker.cpp
dom/ipc/Blob.cpp
dom/ipc/ContentParent.cpp
old-configure.in
deleted file mode 100644
--- a/dom/base/test/mochitest-child-permissions.ini
+++ /dev/null
@@ -1,4 +0,0 @@
-[test_messagemanager_assertpermission.html]
-skip-if = buildapp == 'mulet' || buildapp == 'b2g' #b2g(specialpowers.wrap issue, NS_ERROR_XPC_GS_RETURNED_FAILURE) b2g-debug(specialpowers.wrap issue, NS_ERROR_XPC_GS_RETURNED_FAILURE) b2g-desktop(specialpowers.wrap issue, NS_ERROR_XPC_GS_RETURNED_FAILURE)
-[test_child_process_shutdown_message.html]
-skip-if = buildapp == 'mulet' || buildapp == 'b2g' #b2g(specialpowers.wrap issue, NS_ERROR_XPC_GS_RETURNED_FAILURE) b2g-debug(specialpowers.wrap issue, NS_ERROR_XPC_GS_RETURNED_FAILURE) b2g-desktop(specialpowers.wrap issue, NS_ERROR_XPC_GS_RETURNED_FAILURE)
--- a/dom/base/test/moz.build
+++ b/dom/base/test/moz.build
@@ -14,23 +14,16 @@ GeckoCppUnitTests([
     'TestNativeXMLHttpRequest',
     'TestPlainTextSerializer',
 ])
 
 MOCHITEST_MANIFESTS += [
     'mochitest.ini',
     'websocket_hybi/mochitest.ini',
 ]
-# OOP tests don't work on Windows (bug 763081) or native-fennec
-# (see Bug 774939). App permission checks are also disabled on
-# anything but B2G (Bug 900707).
-if CONFIG['MOZ_CHILD_PERMISSIONS']:
-    MOCHITEST_MANIFESTS += [
-        'mochitest-child-permissions.ini',
-    ]
 
 MOCHITEST_CHROME_MANIFESTS += [
     'chrome.ini',
     'chrome/chrome.ini',
 ]
 
 BROWSER_CHROME_MANIFESTS += [
     'browser.ini',
deleted file mode 100644
--- a/dom/base/test/test_child_process_shutdown_message.html
+++ /dev/null
@@ -1,171 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test that processes that are shutdown send a 'process-shutdown'
-         message to their process message manager.</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body onload="runTests();">
-<p id="display">
-</p>
-<div id="content" style="display: none">
-  
-</div>
-<pre id="test">
-<script class="testbody" type="application/javascript;version=1.8">
-
-const APP_URL = "http://example.org";
-const APP_MANIFEST = "http://example.org/manifest.webapp";
-const CHILD_PROCESS_SHUTDOWN_MESSAGE = "child-process-shutdown";
-
-let ppmm = SpecialPowers.Cc["@mozilla.org/parentprocessmessagemanager;1"]
-                        .getService(SpecialPowers.Ci.nsIMessageBroadcaster);
-let obs = SpecialPowers.Cc["@mozilla.org/observer-service;1"]
-                       .getService(SpecialPowers.Ci.nsIObserverService);
-
-/**
- * Load the example.org site in an <iframe mozbrowser>
- *
- * @param isApp
- *        If true, the example.org site will be loaded as an app.
- */
-function loadBrowser(isApp, callback) {
-  let iframe = document.createElement("iframe");
-  if (isApp) {
-    iframe.setAttribute("mozapp", APP_MANIFEST);
-  }
-  SpecialPowers.wrap(iframe).mozbrowser = true;
-  iframe.src = APP_URL;
-  document.getElementById("content").appendChild(iframe);
-
-  iframe.addEventListener("mozbrowserloadend", function onloadend() {
-    iframe.removeEventListener("mozbrowserloadend", onloadend);
-    callback(iframe);
-  });
-}
-
-/**
- * Prepare the child process for an intentional crash. This is to keep
- * the leak automation tools happy.
- *
- * This also allows us to acquire the process message manaager that
- * corresponds to the process by sending a message to a frame script
- * in the content process and having it reply to us via the child
- * process message manager.
- */
-function prepareProcess(frameMM, callback) {
-  let frameScript = 'data:,\
-    privateNoteIntentionalCrash();\
-    var cpmm = Components.classes["@mozilla.org/childprocessmessagemanager;1"]\
-                         .getService(Components.interfaces.nsISyncMessageSender);\
-    addMessageListener("TestChild:Ohai", function receiveMessage(msg) {\
-      cpmm.sendAsyncMessage("TestChild:Ohai");\
-    });';
-  frameMM.loadFrameScript(frameScript, false);
-  frameMM.sendAsyncMessage("TestChild:Ohai");
-  ppmm.addMessageListener("TestChild:Ohai", function receiveMessage(msg) {
-    ppmm.removeMessageListener("TestChild:Ohai", receiveMessage);
-    msg = SpecialPowers.wrap(msg);
-    callback(msg.target);
-  });
-}
-
-/**
- * Expects an OOP frame's process to shut down and report four
- * events/messages: an error event on the browser element, and a
- * 'child-process-shutdown' message on both the frame and process
- * message managers.
- */
-function expectFrameProcessShutdown(iframe, frameMM, processMM, callback) {
-  let msgCount = 0;
-  function countMessage() {
-    msgCount += 1;
-    if (msgCount == 4) {
-      ok(true, "Observed all four expected events.");
-      callback();
-    }
-  };
-
-  iframe.addEventListener("mozbrowsererror", function onerror(event) {
-    iframe.removeEventListener("mozbrowsererror", onerror);
-    is(event.detail.type, "fatal", "Observed expected event.");
-    countMessage();
-  });
-
-  processMM.addMessageListener(CHILD_PROCESS_SHUTDOWN_MESSAGE, function receiveMessage() {
-    processMM.removeMessageListener(CHILD_PROCESS_SHUTDOWN_MESSAGE, receiveMessage);
-    ok(true, "Received 'child-process-shutdown' message from process message manager.");
-    countMessage();
-  });
-
-  frameMM.addMessageListener(CHILD_PROCESS_SHUTDOWN_MESSAGE, function receiveMessage() {
-    frameMM.removeMessageListener(CHILD_PROCESS_SHUTDOWN_MESSAGE, receiveMessage);
-    ok(true, "Received 'child-process-shutdown' message from frame message manager.");
-    countMessage();
-  });
-
-  obs.addObserver(function observe(subject, type, data) {
-    if (subject == SpecialPowers.unwrap(processMM)) {
-      obs.removeObserver(observe, "message-manager-disconnect");
-      ok(true, "Received 'message-manager-disconnect' notification with " +
-               "frame message manager");
-      countMessage();
-    }
-  }, "message-manager-disconnect", false);
-}
-
-function setUp() {
-  SpecialPowers.addPermission("browser", true, window.document);
-  SpecialPowers.addPermission("embed-apps", true, window.document);
-  // TODO: remove network.disable.ipc.security in bug 820712
-  SpecialPowers.pushPrefEnv({
-    "set": [['dom.mozBrowserFramesEnabled', true],
-            ['dom.ipc.browser_frames.oop_by_default', true],
-            ['network.disable.ipc.security', true]]}, runNextTest);
-}
-
-function makeKillTest(isApp) {
-  return function testKill() {
-    loadBrowser(isApp, function (iframe) {
-      // We want to make sure we get notified on both the frame and
-      // process message managers.
-      let frameMM = SpecialPowers.getBrowserFrameMessageManager(iframe);
-      prepareProcess(frameMM, function (processMM) {
-        // Let's kill the content process by asking for a permission
-        // that it doesn't have.
-        ok(!processMM.assertPermission("frobnaz"),
-           "Content child should not have this permission");
-        expectFrameProcessShutdown(iframe, frameMM, processMM, function () {
-          iframe.parentNode.removeChild(iframe);
-          runNextTest();
-        });
-      });
-    });
-  };
-}
-
-function tearDown() {
-  SimpleTest.finish();
-}
-
-let _tests = [
-  setUp,
-  makeKillTest(false),
-  makeKillTest(true),
-  tearDown
-]
-function runNextTest() {
-  SimpleTest.executeSoon(_tests.shift());
-}
-
-function runTests() {
-  SimpleTest.waitForExplicitFinish();
-  runNextTest();
-}
-
-</script>
-</pre>
-</body>
-</html>
deleted file mode 100644
--- a/dom/base/test/test_messagemanager_assertpermission.html
+++ /dev/null
@@ -1,192 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for the nsIProcessChecker part of Message Managers</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body onload="runTests();">
-<p id="display">
-</p>
-<div id="content" style="display: none">
-  
-</div>
-<pre id="test">
-<script class="testbody" type="application/javascript;version=1.8">
-
-const APP_URL = "http://example.org";
-const APP_MANIFEST = "http://example.org/manifest.webapp";
-const CHILD_PROCESS_SHUTDOWN_MESSAGE = "child-process-shutdown";
-
-let ppmm = SpecialPowers.Cc["@mozilla.org/parentprocessmessagemanager;1"]
-                        .getService(SpecialPowers.Ci.nsIMessageBroadcaster);
-let cpmm = SpecialPowers.Cc["@mozilla.org/childprocessmessagemanager;1"]
-                        .getService(SpecialPowers.Ci.nsISyncMessageSender);
-let gAppsService = SpecialPowers.Cc["@mozilla.org/AppsService;1"]
-                     .getService(SpecialPowers.Ci.nsIAppsService);
-
-function setUp() {
-  SpecialPowers.addPermission("browser", true, window.document);
-  SpecialPowers.addPermission("embed-apps", true, window.document);
-
-  let appId = gAppsService.getAppLocalIdByManifestURL(APP_MANIFEST);
-  SpecialPowers.addPermission("foobar", true, { url: APP_URL,
-                                                originAttributes: { appId: appId }
-                                              });
-  SpecialPowers.pushPrefEnv({"set":[['dom.mozBrowserFramesEnabled', true],
-                                    ['dom.ipc.browser_frames.oop_by_default', true]]}, runNextTest);
-}
-
-/**
- * Load the example.org app in an <iframe mozbrowser mozapp>
- */
-function loadApp(callback) {
-  let iframe = document.createElement("iframe");
-  iframe.setAttribute("mozapp", APP_MANIFEST);
-  SpecialPowers.wrap(iframe).mozbrowser = true;
-  iframe.src = APP_URL;
-  document.getElementById("content").appendChild(iframe);
-
-  iframe.addEventListener("mozbrowserloadend", function onloadend() {
-    iframe.removeEventListener("mozbrowserloadend", onloadend);
-    callback(iframe);
-  });
-}
-
-/**
- * Prepare the child process for an intentional crash. This is to keep
- * the leak automation tools happy.
- *
- * This also allows us to acquire the process message manaager that
- * corresponds to the process by sending a message to a frame script
- * in the content process and having it reply to us via the child
- * process message manager.
- */
-function prepareProcess(frameMM, callback) {
-  let frameScript = 'data:,\
-    privateNoteIntentionalCrash();\
-    var cpmm = Components.classes["@mozilla.org/childprocessmessagemanager;1"]\
-                         .getService(Components.interfaces.nsISyncMessageSender);\
-    addMessageListener("TestChild:Ohai", function receiveMessage(msg) {\
-      cpmm.sendAsyncMessage("TestChild:Ohai");\
-    });';
-  frameMM.loadFrameScript(frameScript, false);
-  frameMM.sendAsyncMessage("TestChild:Ohai");
-  ppmm.addMessageListener("TestChild:Ohai", function receiveMessage(msg) {
-    ppmm.removeMessageListener("TestChild:Ohai", receiveMessage);
-    msg = SpecialPowers.wrap(msg);
-    callback(msg.target);
-  });
-}
-
-/**
- * Expects an OOP frame's process to shut down and report three
- * events/messages: an error event on the browser element, and a
- * 'child-process-shutdown' message on both the frame and process
- * message managers.
- */
-function expectFrameProcessShutdown(iframe, frameMM, processMM, callback) {
-  let msgCount = 0;
-  function countMessage() {
-    msgCount += 1;
-    if (msgCount == 3) {
-      ok(true, "Observed all three expected events.");
-      callback();
-    }
-  };
-
-  iframe.addEventListener("mozbrowsererror", function onerror(event) {
-    iframe.removeEventListener("mozbrowsererror", onerror);
-    is(event.detail.type, "fatal", "Observed expected event.");
-    countMessage();
-  });
-
-  processMM.addMessageListener(CHILD_PROCESS_SHUTDOWN_MESSAGE, function receiveMessage() {
-    processMM.removeMessageListener(CHILD_PROCESS_SHUTDOWN_MESSAGE, receiveMessage);
-    ok(true, "Received 'child-process-shutdown' message from process message manager.");
-    countMessage();
-  });
-
-  frameMM.addMessageListener(CHILD_PROCESS_SHUTDOWN_MESSAGE, function receiveMessage() {
-    frameMM.removeMessageListener(CHILD_PROCESS_SHUTDOWN_MESSAGE, receiveMessage);
-    ok(true, "Received 'child-process-shutdown' message from frame message manager.");
-    countMessage();
-  });
-}
-
-function testSameProcess() {
-  // Assert permissions on the in-process child process message manager.
-  // It always has all permissions, including ones that were never
-  // assigned to anybody.
-
-  cpmm.sendAsyncMessage("TestPermission:InProcess");
-  ppmm.addMessageListener("TestPermission:InProcess", function receiveMessage(msg) {
-    ppmm.removeMessageListener("TestPermission:InProcess", receiveMessage);
-    msg = SpecialPowers.wrap(msg);
-
-    ok(msg.target.assertPermission("frobnaz"), "in-process cpmm always has all capabilities");
-    runNextTest();
-  });
-}
-
-function testFrameMessageManager() {
-  // Assert permissions on the frame message manager.
-
-  loadApp(function (iframe) {
-    let frameMM = SpecialPowers.getBrowserFrameMessageManager(iframe);
-    prepareProcess(frameMM, function (processMM) {
-      ok(frameMM.assertPermission("foobar"),
-         "Frame mm has assigned permission.");
-      ok(!frameMM.assertPermission("frobnaz"),
-         "Frame mm doesn't have non-existing permission.");
-      expectFrameProcessShutdown(iframe, frameMM, processMM, function () {
-        iframe.parentNode.removeChild(iframe);
-        runNextTest();
-      });
-    });
-  });
-}
-
-function testChildProcessMessageManager() {
-  // Assert permissions on the child process message manager.
-
-  loadApp(function (iframe) {
-    let frameMM = SpecialPowers.getBrowserFrameMessageManager(iframe);
-    prepareProcess(frameMM, function (processMM) {
-      ok(processMM.assertPermission("foobar"),
-         "Process mm has assigned permission.");
-      ok(!processMM.assertPermission("frobnaz"),
-         "Process mm doesn't have non-existing permission.");
-      expectFrameProcessShutdown(iframe, frameMM, processMM, function () {
-        iframe.parentNode.removeChild(iframe);
-        runNextTest();
-      });
-    });
-  });
-}
-
-function tearDown() {
-  SimpleTest.finish();
-}
-
-let _tests = [
-  setUp,
-  testSameProcess,
-  testFrameMessageManager,
-  testChildProcessMessageManager,
-  tearDown
-]
-function runNextTest() {
-  SimpleTest.executeSoon(_tests.shift());
-}
-
-function runTests() {
-  SimpleTest.waitForExplicitFinish();
-  runNextTest();
-}
-
-</script>
-</pre>
-</body>
-</html>
--- a/dom/html/HTMLInputElement.cpp
+++ b/dom/html/HTMLInputElement.cpp
@@ -2160,33 +2160,17 @@ HTMLInputElement::GetValueInternal(nsASt
         mInputData.mState->GetValue(aValue, true);
       } else if (!aValue.Assign(mInputData.mValue, fallible)) {
         return NS_ERROR_OUT_OF_MEMORY;
       }
       return NS_OK;
 
     case VALUE_MODE_FILENAME:
       if (nsContentUtils::LegacyIsCallerChromeOrNativeCode()) {
-#ifndef MOZ_CHILD_PERMISSIONS
         aValue.Assign(mFirstFilePath);
-#else
-        // XXX We'd love to assert that this can't happen, but some mochitests
-        // use SpecialPowers to circumvent our more sane security model.
-        if (!mFilesOrDirectories.IsEmpty()) {
-          ErrorResult rv;
-          GetDOMFileOrDirectoryPath(mFilesOrDirectories[0], aValue, rv);
-          if (NS_WARN_IF(rv.Failed())) {
-            return rv.StealNSResult();
-          }
-          return NS_OK;
-        }
-        else {
-          aValue.Truncate();
-        }
-#endif
       } else {
         // Just return the leaf name
         if (mFilesOrDirectories.IsEmpty()) {
           aValue.Truncate();
         } else {
           GetDOMFileOrDirectoryName(mFilesOrDirectories[0], aValue);
         }
       }
@@ -3345,32 +3329,30 @@ HTMLInputElement::AfterSetFilesOrDirecto
   // new value.  We just want the display to update as needed.
   nsIFormControlFrame* formControlFrame = GetFormControlFrame(false);
   if (formControlFrame) {
     nsAutoString readableValue;
     GetDisplayFileName(readableValue);
     formControlFrame->SetFormProperty(nsGkAtoms::value, readableValue);
   }
 
-#ifndef MOZ_CHILD_PERMISSIONS
   // Grab the full path here for any chrome callers who access our .value via a
   // CPOW. This path won't be called from a CPOW meaning the potential sync IPC
   // call under GetMozFullPath won't be rejected for not being urgent.
   // XXX Protected by the ifndef because the blob code doesn't allow us to send
   // this message in b2g.
   if (mFilesOrDirectories.IsEmpty()) {
     mFirstFilePath.Truncate();
   } else {
     ErrorResult rv;
     GetDOMFileOrDirectoryPath(mFilesOrDirectories[0], mFirstFilePath, rv);
     if (NS_WARN_IF(rv.Failed())) {
       rv.SuppressException();
     }
   }
-#endif
 
   UpdateFileList();
 
   if (aSetValueChanged) {
     SetValueChanged(true);
   }
 
   UpdateAllValidityStates(true);
--- a/dom/html/HTMLInputElement.h
+++ b/dom/html/HTMLInputElement.h
@@ -1385,22 +1385,20 @@ protected:
    * this member, never by the frame. Whenever the frame wants to change the
    * filename it has to call SetFilesOrDirectories to update this member.
    */
   nsTArray<OwningFileOrDirectory> mFilesOrDirectories;
 
   RefPtr<GetFilesHelper> mGetFilesRecursiveHelper;
   RefPtr<GetFilesHelper> mGetFilesNonRecursiveHelper;
 
-#ifndef MOZ_CHILD_PERMISSIONS
   /**
    * Hack for bug 1086684: Stash the .value when we're a file picker.
    */
   nsString mFirstFilePath;
-#endif
 
   RefPtr<FileList>  mFileList;
   Sequence<RefPtr<Entry>> mEntries;
 
   nsString mStaticDocFileList;
 
   /**
    * The value of the input element when first initialized and it is updated
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@@ -20278,35 +20278,19 @@ FactoryOp::CheckPermission(ContentParent
       !isApp) {
     return NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR;
   }
 #endif
 
   PermissionRequestBase::PermissionValue permission;
 
   if (QuotaManager::IsFirstPromptRequired(persistenceType, origin, isApp)) {
-#ifdef MOZ_CHILD_PERMISSIONS
-    if (aContentParent) {
-      if (NS_WARN_IF(!AssertAppPrincipal(aContentParent, principal))) {
-        IDB_REPORT_INTERNAL_ERR();
-        return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR;
-      }
-
-      uint32_t intPermission =
-        mozilla::CheckPermission(aContentParent, principal, IDB_PREFIX);
-
-      permission =
-        PermissionRequestBase::PermissionValueForIntPermission(intPermission);
-    } else
-#endif // MOZ_CHILD_PERMISSIONS
-    {
-      rv = PermissionRequestBase::GetCurrentPermission(principal, &permission);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return rv;
-      }
+    rv = PermissionRequestBase::GetCurrentPermission(principal, &permission);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      return rv;
     }
   } else {
     permission = PermissionRequestBase::kPermissionAllowed;
   }
 
   if (permission != PermissionRequestBase::kPermissionDenied &&
       State::Initial == mState) {
     mSuffix = suffix;
@@ -20375,75 +20359,17 @@ FactoryOp::SendVersionChangeMessages(Dat
 bool
 FactoryOp::CheckAtLeastOneAppHasPermission(ContentParent* aContentParent,
                                            const nsACString& aPermissionString)
 {
   MOZ_ASSERT(NS_IsMainThread());
   MOZ_ASSERT(aContentParent);
   MOZ_ASSERT(!aPermissionString.IsEmpty());
 
-#ifdef MOZ_CHILD_PERMISSIONS
-  const ManagedContainer<PBrowserParent>& browsers =
-    aContentParent->ManagedPBrowserParent();
-
-  if (!browsers.IsEmpty()) {
-    nsCOMPtr<nsIAppsService> appsService =
-      do_GetService(APPS_SERVICE_CONTRACTID);
-    if (NS_WARN_IF(!appsService)) {
-      return false;
-    }
-
-    nsCOMPtr<nsIIOService> ioService = do_GetIOService();
-    if (NS_WARN_IF(!ioService)) {
-      return false;
-    }
-
-    nsCOMPtr<nsIPermissionManager> permMan =
-      mozilla::services::GetPermissionManager();
-    if (NS_WARN_IF(!permMan)) {
-      return false;
-    }
-
-    const nsPromiseFlatCString permissionString =
-      PromiseFlatCString(aPermissionString);
-
-    for (auto iter = browsers.ConstIter(); !iter.Done(); iter.Next()) {
-      uint32_t appId =
-        TabParent::GetFrom(iter.Get()->GetKey())->OwnOrContainingAppId();
-      MOZ_ASSERT(appId != nsIScriptSecurityManager::UNKNOWN_APP_ID &&
-                 appId != nsIScriptSecurityManager::NO_APP_ID);
-
-      nsCOMPtr<mozIApplication> app;
-      nsresult rv = appsService->GetAppByLocalId(appId, getter_AddRefs(app));
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return false;
-      }
-
-      nsCOMPtr<nsIPrincipal> principal;
-      app->GetPrincipal(getter_AddRefs(principal));
-      NS_ENSURE_TRUE(principal, false);
-
-      uint32_t permission;
-      rv = permMan->TestExactPermissionFromPrincipal(principal,
-                                                     permissionString.get(),
-                                                     &permission);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return false;
-      }
-
-      if (permission == nsIPermissionManager::ALLOW_ACTION) {
-        return true;
-      }
-    }
-  }
-
-  return false;
-#else
-  return true;
-#endif // MOZ_CHILD_PERMISSIONS
+  return true;
 }
 
 nsresult
 FactoryOp::FinishOpen()
 {
   AssertIsOnOwningThread();
   MOZ_ASSERT(mState == State::FinishOpen);
   MOZ_ASSERT(!mContentParent);
--- a/dom/inputmethod/MozKeyboard.js
+++ b/dom/inputmethod/MozKeyboard.js
@@ -690,21 +690,30 @@ MozInputMethod.prototype = {
       'indexes': indexes
     });
   },
 
   removeFocus: function() {
     cpmm.sendAsyncMessage('System:RemoveFocus', {});
   },
 
+  // Only the system app needs that, so instead of testing a permission which
+  // is allowed for all chrome:// url, we explicitly test that this is the
+  // system app's start URL.
   _hasInputManagePerm: function(win) {
-    let principal = win.document.nodePrincipal;
-    let perm = Services.perms.testExactPermissionFromPrincipal(principal,
-                                                               "input-manage");
-    return (perm === Ci.nsIPermissionManager.ALLOW_ACTION);
+    let url = win.location.href;
+    let systemAppIndex;
+    try {
+      systemAppIndex = Services.prefs.getCharPref('b2g.system_startup_url');
+    } catch(e) {
+      dump('MozKeyboard.jsm: no system app startup url set (pref is b2g.system_startup_url)');
+    }
+
+    dump(`MozKeyboard.jsm expecting ${systemAppIndex}\n`);
+    return url == systemAppIndex;
   }
 };
 
 /**
  * ==============================================
  * InputContextDOMRequestIpcHelper
  * ==============================================
  */
--- a/dom/inputmethod/mochitest/mochitest.ini
+++ b/dom/inputmethod/mochitest/mochitest.ini
@@ -1,11 +1,11 @@
 [DEFAULT]
-# Not supported on Android, bug 983015 for B2G emulator
-skip-if = (toolkit == 'android' || toolkit == 'gonk') || e10s
+# dom/inputmethod only makes sense on B2G
+run-if = (buildapp == 'b2g' && toolkit != 'gonk') || buildapp == 'mulet'
 support-files =
   inputmethod_common.js
   file_inputmethod.html
   file_blank.html
   file_test_app.html
   file_test_sendkey_cancel.html
   file_test_sms_app.html
   file_test_sms_app_1066515.html
--- a/dom/ipc/AppProcessChecker.cpp
+++ b/dom/ipc/AppProcessChecker.cpp
@@ -1,361 +1,33 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "AppProcessChecker.h"
 #include "nsIPermissionManager.h"
-#ifdef MOZ_CHILD_PERMISSIONS
-#include "ContentParent.h"
-#include "mozIApplication.h"
-#include "mozilla/hal_sandbox/PHalParent.h"
-#include "nsIAppsService.h"
-#include "nsIPrincipal.h"
-#include "nsPrintfCString.h"
-#include "nsIURI.h"
-#include "nsContentUtils.h"
-#include "nsNetUtil.h"
-#include "nsServiceManagerUtils.h"
-#include "TabParent.h"
 
-#include <algorithm>
-
-using namespace mozilla::dom;
-using namespace mozilla::hal_sandbox;
-using namespace mozilla::services;
-#else
 namespace mozilla {
 namespace dom {
 class PContentParent;
 } // namespace dom
 } // namespace mozilla
 
 class nsIPrincipal;
-#endif
 
 namespace mozilla {
 
 #if DEBUG
   #define LOG(...) printf_stderr(__VA_ARGS__)
 #else
   #define LOG(...)
 #endif
 
-#ifdef MOZ_CHILD_PERMISSIONS
-
-static bool
-CheckAppTypeHelper(mozIApplication* aApp,
-                   AssertAppProcessType aType,
-                   const char* aCapability,
-                   bool aIsBrowserElement)
-{
-  bool aValid = false;
-
-  // isBrowser frames inherit their app descriptor to identify their
-  // data storage, but they don't inherit the capability associated
-  // with that descriptor.
-  if (aApp && (aType == ASSERT_APP_HAS_PERMISSION || !aIsBrowserElement)) {
-    switch (aType) {
-      case ASSERT_APP_HAS_PERMISSION:
-      case ASSERT_APP_PROCESS_PERMISSION:
-        if (!NS_SUCCEEDED(aApp->HasPermission(aCapability, &aValid))) {
-          aValid = false;
-        }
-        break;
-      case ASSERT_APP_PROCESS_MANIFEST_URL: {
-        nsAutoString manifestURL;
-        if (NS_SUCCEEDED(aApp->GetManifestURL(manifestURL)) &&
-            manifestURL.EqualsASCII(aCapability)) {
-          aValid = true;
-        }
-        break;
-      }
-      default:
-        break;
-    }
-  }
-  return aValid;
-}
-
-bool
-AssertAppProcess(PBrowserParent* aActor,
-                 AssertAppProcessType aType,
-                 const char* aCapability)
-{
-  if (!aActor) {
-    NS_WARNING("Testing process capability for null actor");
-    return false;
-  }
-
-  TabParent* tab = TabParent::GetFrom(aActor);
-  nsCOMPtr<mozIApplication> app = tab->GetOwnOrContainingApp();
-
-  return CheckAppTypeHelper(app, aType, aCapability, tab->IsMozBrowserElement());
-}
-
-static bool
-CheckAppStatusHelper(mozIApplication* aApp,
-                     unsigned short aStatus)
-{
-  bool valid = false;
-
-  if (aApp) {
-    unsigned short appStatus = 0;
-    if (NS_SUCCEEDED(aApp->GetAppStatus(&appStatus))) {
-      valid = appStatus == aStatus;
-    }
-  }
-
-  return valid;
-}
-
-bool
-AssertAppStatus(PBrowserParent* aActor,
-                unsigned short aStatus)
-{
-  if (!aActor) {
-    NS_WARNING("Testing process capability for null actor");
-    return false;
-  }
-
-  TabParent* tab = TabParent::GetFrom(aActor);
-  nsCOMPtr<mozIApplication> app = tab->GetOwnOrContainingApp();
-
-  return CheckAppStatusHelper(app, aStatus);
-}
-
-// A general purpose helper function to check permission against the origin
-// rather than mozIApplication.
-static bool
-CheckOriginPermission(const nsACString& aOrigin, const char* aPermission)
-{
-  LOG("CheckOriginPermission: %s, %s\n", nsCString(aOrigin).get(), aPermission);
-
-  nsIScriptSecurityManager *securityManager =
-    nsContentUtils::GetSecurityManager();
-
-  nsCOMPtr<nsIPrincipal> principal;
-  securityManager->CreateCodebasePrincipalFromOrigin(aOrigin,
-                                                     getter_AddRefs(principal));
-
-  nsCOMPtr<nsIPermissionManager> permMgr = services::GetPermissionManager();
-  NS_ENSURE_TRUE(permMgr, false);
-
-  uint32_t perm;
-  nsresult rv = permMgr->TestExactPermissionFromPrincipal(principal, aPermission, &perm);
-  NS_ENSURE_SUCCESS(rv, false);
-
-  LOG("Permission %s for %s: %d\n", aPermission, nsCString(aOrigin).get(), perm);
-  return nsIPermissionManager::ALLOW_ACTION == perm;
-}
-
-bool
-AssertAppProcess(TabContext& aContext,
-                 AssertAppProcessType aType,
-                 const char* aCapability)
-{
-  const mozilla::DocShellOriginAttributes& attr = aContext.OriginAttributesRef();
-  nsCString suffix;
-  attr.CreateSuffix(suffix);
-
-  if (!aContext.SignedPkgOriginNoSuffix().IsEmpty()) {
-    LOG("TabContext owning signed package origin: %s, originAttr; %s\n",
-        nsCString(aContext.SignedPkgOriginNoSuffix()).get(),
-        suffix.get());
-  }
-
-  // Do a origin-based permission check if the TabContext owns a signed package.
-  if (!aContext.SignedPkgOriginNoSuffix().IsEmpty() &&
-      (ASSERT_APP_HAS_PERMISSION == aType || ASSERT_APP_PROCESS_PERMISSION == aType)) {
-    nsCString origin = aContext.SignedPkgOriginNoSuffix() + suffix;
-    return CheckOriginPermission(origin, aCapability);
-  }
-
-  nsCOMPtr<mozIApplication> app = aContext.GetOwnOrContainingApp();
-  return CheckAppTypeHelper(app, aType, aCapability, aContext.IsMozBrowserElement());
-}
-
-bool
-AssertAppStatus(TabContext& aContext,
-                unsigned short aStatus)
-{
-
-  nsCOMPtr<mozIApplication> app = aContext.GetOwnOrContainingApp();
-  return CheckAppStatusHelper(app, aStatus);
-}
-
-bool
-AssertAppProcess(PContentParent* aActor,
-                 AssertAppProcessType aType,
-                 const char* aCapability)
-{
-  nsTArray<TabContext> contextArray =
-    static_cast<ContentParent*>(aActor)->GetManagedTabContext();
-  for (uint32_t i = 0; i < contextArray.Length(); ++i) {
-    if (AssertAppProcess(contextArray[i], aType, aCapability)) {
-      return true;
-    }
-  }
-
-  NS_ERROR(
-    nsPrintfCString(
-      "Security problem: Content process does not have `%s'.  It will be killed.\n",
-      aCapability).get());
-
-  static_cast<ContentParent*>(aActor)->KillHard("AssertAppProcess");
-
-  return false;
-}
-
-bool
-AssertAppStatus(PContentParent* aActor,
-                unsigned short aStatus)
-{
-  nsTArray<TabContext> contextArray =
-    static_cast<ContentParent*>(aActor)->GetManagedTabContext();
-  for (uint32_t i = 0; i < contextArray.Length(); ++i) {
-    if (AssertAppStatus(contextArray[i], aStatus)) {
-      return true;
-    }
-  }
-
-  NS_ERROR(
-    nsPrintfCString(
-      "Security problem: Content process does not have `%d' status.  It will be killed.",
-      aStatus).get());
-
-  static_cast<ContentParent*>(aActor)->KillHard("AssertAppStatus");
-
-  return false;
-}
-
-bool
-AssertAppProcess(PHalParent* aActor,
-                 AssertAppProcessType aType,
-                 const char* aCapability)
-{
-  return AssertAppProcess(aActor->Manager(), aType, aCapability);
-}
-
-bool
-AssertAppPrincipal(PContentParent* aActor,
-                   nsIPrincipal* aPrincipal)
-{
-  if (!aPrincipal) {
-    NS_WARNING("Principal is invalid, killing app process");
-    static_cast<ContentParent*>(aActor)->KillHard("AssertAppPrincipal");
-    return false;
-  }
-
-  uint32_t principalAppId = aPrincipal->GetAppId();
-  bool inIsolatedBrowser = aPrincipal->GetIsInIsolatedMozBrowserElement();
-
-  // Check if the permission's appId matches a child we manage.
-  nsTArray<TabContext> contextArray =
-    static_cast<ContentParent*>(aActor)->GetManagedTabContext();
-  for (uint32_t i = 0; i < contextArray.Length(); ++i) {
-    if (contextArray[i].OwnOrContainingAppId() == principalAppId) {
-      // If the child only runs isolated browser content and the principal
-      // claims it's not in an isolated browser element, it's lying.
-      if (!contextArray[i].IsIsolatedMozBrowserElement() || inIsolatedBrowser) {
-        return true;
-      }
-      break;
-    }
-  }
-
-  NS_WARNING("Principal is invalid, killing app process");
-  static_cast<ContentParent*>(aActor)->KillHard("AssertAppPrincipal");
-  return false;
-}
-
-already_AddRefed<nsIPrincipal>
-GetAppPrincipal(uint32_t aAppId)
-{
-  nsCOMPtr<nsIAppsService> appsService = do_GetService(APPS_SERVICE_CONTRACTID);
-
-  nsCOMPtr<mozIApplication> app;
-  nsresult rv = appsService->GetAppByLocalId(aAppId, getter_AddRefs(app));
-  NS_ENSURE_SUCCESS(rv, nullptr);
-
-  nsCOMPtr<nsIPrincipal> principal;
-  app->GetPrincipal(getter_AddRefs(principal));
-
-  return principal.forget();
-}
-
-uint32_t
-CheckPermission(PContentParent* aActor,
-                nsIPrincipal* aPrincipal,
-                const char* aPermission)
-{
-  if (!AssertAppPrincipal(aActor, aPrincipal)) {
-    return nsIPermissionManager::DENY_ACTION;
-  }
-
-  nsCOMPtr<nsIPermissionManager> pm =
-    services::GetPermissionManager();
-  NS_ENSURE_TRUE(pm, nsIPermissionManager::DENY_ACTION);
-
-  // Make sure that `aPermission' is an app permission before checking the origin.
-  nsCOMPtr<nsIPrincipal> appPrincipal = GetAppPrincipal(aPrincipal->GetAppId());
-  uint32_t appPerm = nsIPermissionManager::UNKNOWN_ACTION;
-  nsresult rv = pm->TestExactPermissionFromPrincipal(appPrincipal, aPermission, &appPerm);
-  NS_ENSURE_SUCCESS(rv, nsIPermissionManager::UNKNOWN_ACTION);
-  // Setting to "deny" in the settings UI should deny everywhere.
-  if (appPerm == nsIPermissionManager::UNKNOWN_ACTION ||
-      appPerm == nsIPermissionManager::DENY_ACTION) {
-    return appPerm;
-  }
-
-  uint32_t permission = nsIPermissionManager::UNKNOWN_ACTION;
-  rv = pm->TestExactPermissionFromPrincipal(aPrincipal, aPermission, &permission);
-  NS_ENSURE_SUCCESS(rv, nsIPermissionManager::UNKNOWN_ACTION);
-  if (permission == nsIPermissionManager::UNKNOWN_ACTION ||
-      permission == nsIPermissionManager::DENY_ACTION) {
-    return permission;
-  }
-
-  // For browser content (and if the app hasn't explicitly denied this),
-  // consider the requesting origin, not the app.
-  // After bug 1238160, the principal no longer knows how to answer "is this a
-  // browser element", which is really what this code path wants. Currently,
-  // desktop is the only platform where we intend to disable isolation on a
-  // browser frame, so non-desktop should be able to assume that
-  // inIsolatedMozBrowser is true for all mozbrowser frames.  This code path is
-  // currently unused on desktop, since MOZ_CHILD_PERMISSIONS is only set for
-  // MOZ_B2G.  We use a release assertion in
-  // nsFrameLoader::OwnerIsIsolatedMozBrowserFrame so that platforms with apps
-  // can assume inIsolatedMozBrowser is true for all mozbrowser frames.
-  if (appPerm == nsIPermissionManager::PROMPT_ACTION &&
-      aPrincipal->GetIsInIsolatedMozBrowserElement()) {
-    return permission;
-  }
-
-  // Setting to "prompt" in the settings UI should prompt everywhere in
-  // non-browser content.
-  if (appPerm == nsIPermissionManager::PROMPT_ACTION ||
-      permission == nsIPermissionManager::PROMPT_ACTION) {
-    return nsIPermissionManager::PROMPT_ACTION;
-  }
-
-  if (appPerm == nsIPermissionManager::ALLOW_ACTION ||
-      permission == nsIPermissionManager::ALLOW_ACTION) {
-    return nsIPermissionManager::ALLOW_ACTION;
-  }
-
-  NS_RUNTIMEABORT("Invalid permission value");
-  return nsIPermissionManager::DENY_ACTION;
-}
-
-#else
-
 bool
 AssertAppProcess(mozilla::dom::PBrowserParent* aActor,
                  AssertAppProcessType aType,
                  const char* aCapability)
 {
   return true;
 }
 
@@ -415,11 +87,9 @@ AssertAppPrincipal(mozilla::dom::PConten
 uint32_t
 CheckPermission(mozilla::dom::PContentParent* aActor,
                 nsIPrincipal* aPrincipal,
                 const char* aPermission)
 {
   return nsIPermissionManager::ALLOW_ACTION;
 }
 
-#endif
-
 } // namespace mozilla
--- a/dom/ipc/Blob.cpp
+++ b/dom/ipc/Blob.cpp
@@ -4359,23 +4359,16 @@ BlobParent::RecvGetFilePath(nsString* aF
 {
   AssertIsOnOwningThread();
   MOZ_ASSERT(mBlobImpl);
   MOZ_ASSERT(!mRemoteBlobImpl);
   MOZ_ASSERT(mOwnsBlobImpl);
 
   // In desktop e10s the file picker code sends this message.
 
-#if defined(MOZ_CHILD_PERMISSIONS) && !defined(MOZ_GRAPHENE)
-  if (NS_WARN_IF(!IndexedDatabaseManager::InTestingMode())) {
-    ASSERT_UNLESS_FUZZING();
-    return false;
-  }
-#endif
-
   nsString filePath;
   ErrorResult rv;
   mBlobImpl->GetMozFullPathInternal(filePath, rv);
   if (NS_WARN_IF(rv.Failed())) {
     return false;
   }
 
   *aFilePath = filePath;
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@@ -4327,24 +4327,16 @@ ContentParent::RecvExtProtocolChannelCon
   parent->SetParentListener(nullptr);
 
   return true;
 }
 
 bool
 ContentParent::HasNotificationPermission(const IPC::Principal& aPrincipal)
 {
-#ifdef MOZ_CHILD_PERMISSIONS
-  uint32_t permission = mozilla::CheckPermission(this, aPrincipal,
-                                                 "desktop-notification");
-  if (permission != nsIPermissionManager::ALLOW_ACTION) {
-    return false;
-  }
-#endif /* MOZ_CHILD_PERMISSIONS */
-
   return true;
 }
 
 bool
 ContentParent::RecvShowAlert(const AlertNotificationType& aAlert)
 {
   nsCOMPtr<nsIAlertNotification> alert(dont_AddRef(aAlert));
   if (NS_WARN_IF(!alert)) {
@@ -4469,26 +4461,16 @@ AddGeolocationListener(nsIDOMGeoPosition
   geo->WatchPosition(watcher, errorCallBack, options, &retval);
   return retval;
 }
 
 bool
 ContentParent::RecvAddGeolocationListener(const IPC::Principal& aPrincipal,
                                           const bool& aHighAccuracy)
 {
-#ifdef MOZ_CHILD_PERMISSIONS
-  if (!ContentParent::IgnoreIPCPrincipal()) {
-    uint32_t permission = mozilla::CheckPermission(this, aPrincipal,
-                                                   "geolocation");
-    if (permission != nsIPermissionManager::ALLOW_ACTION) {
-      return true;
-    }
-  }
-#endif /* MOZ_CHILD_PERMISSIONS */
-
   // To ensure no geolocation updates are skipped, we always force the
   // creation of a new listener.
   RecvRemoveGeolocationListener();
   mGeolocationWatchID = AddGeolocationListener(this, this, aHighAccuracy);
   return true;
 }
 
 bool
--- a/old-configure.in
+++ b/old-configure.in
@@ -3798,29 +3798,16 @@ MOZ_ARG_DISABLE_BOOL(permissions,
 )
 
 AC_SUBST(MOZ_PERMISSIONS)
 if test -n "$MOZ_PERMISSIONS"; then
     AC_DEFINE(MOZ_PERMISSIONS)
 fi
 
 dnl ========================================================
-dnl Child permissions, currently only used for b2g
-dnl ========================================================
-if test -n "$MOZ_B2G"; then
-    if test -n "$MOZ_PERMISSIONS"; then
-        MOZ_CHILD_PERMISSIONS=1
-        AC_DEFINE(MOZ_CHILD_PERMISSIONS)
-    else
-        AC_MSG_ERROR([You need to enable MOZ_PERMISSIONS for MOZ_CHILD_PERMISSIONS])
-    fi
-fi
-AC_SUBST(MOZ_CHILD_PERMISSIONS)
-
-dnl ========================================================
 dnl NegotiateAuth
 dnl ========================================================
 
 MOZ_ARG_DISABLE_BOOL(negotiateauth,
 [  --disable-negotiateauth Disable GSS-API negotiation ],
     MOZ_AUTH_EXTENSION=,
     MOZ_AUTH_EXTENSION=1 )