Bug 965637: Move CSP from Principal into Client, part 2: worker changes. r=baku
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Tue, 21 May 2019 23:14:50 +0000
changeset 474896 3399e7c519424a82824f48abd3b2a4d75346d723
parent 474895 ddf4012a7652e36d144fc43bc99335276deeafbe
child 474897 63587b402c35ba828007cf7b8b4c9a23fcf97e85
push id113174
push usernerli@mozilla.com
push dateWed, 22 May 2019 03:46:05 +0000
treeherdermozilla-inbound@a1672f31906b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbaku
bugs965637
milestone69.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 965637: Move CSP from Principal into Client, part 2: worker changes. r=baku Differential Revision: https://phabricator.services.mozilla.com/D27655
dom/clients/api/Clients.cpp
dom/clients/manager/ClientIPCTypes.ipdlh
dom/clients/manager/ClientOpenWindowUtils.cpp
dom/serviceworkers/ServiceWorkerPrivate.cpp
dom/serviceworkers/ServiceWorkerRegistrar.cpp
dom/serviceworkers/test/gtest/TestReadWrite.cpp
dom/workers/ScriptLoader.cpp
dom/workers/WorkerLoadInfo.cpp
dom/workers/WorkerLoadInfo.h
dom/workers/WorkerPrivate.cpp
dom/workers/WorkerPrivate.h
dom/workers/remoteworkers/RemoteWorkerChild.cpp
dom/workers/remoteworkers/RemoteWorkerTypes.ipdlh
dom/workers/sharedworkers/SharedWorker.cpp
dom/workers/sharedworkers/SharedWorkerService.cpp
--- a/dom/clients/api/Clients.cpp
+++ b/dom/clients/api/Clients.cpp
@@ -17,16 +17,17 @@
 #include "mozilla/ipc/BackgroundUtils.h"
 #include "mozilla/SystemGroup.h"
 #include "nsIGlobalObject.h"
 #include "nsString.h"
 
 namespace mozilla {
 namespace dom {
 
+using mozilla::ipc::CSPInfo;
 using mozilla::ipc::PrincipalInfo;
 
 NS_IMPL_CYCLE_COLLECTING_ADDREF(Clients);
 NS_IMPL_CYCLE_COLLECTING_RELEASE(Clients);
 NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(Clients, mGlobal);
 
 NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(Clients)
   NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY
@@ -213,21 +214,20 @@ already_AddRefed<Promise> Clients::OpenW
   }
 
   if (!workerPrivate->GlobalScope()->WindowInteractionAllowed()) {
     outerPromise->MaybeReject(NS_ERROR_DOM_INVALID_ACCESS_ERR);
     return outerPromise.forget();
   }
 
   const PrincipalInfo& principalInfo = workerPrivate->GetPrincipalInfo();
-  const nsTArray<mozilla::ipc::ContentSecurityPolicy>& cspInfos =
-      workerPrivate->GetCSPInfos();
+  const CSPInfo& cspInfo = workerPrivate->GetCSPInfo();
   nsCString baseURL = workerPrivate->GetLocationInfo().mHref;
 
-  ClientOpenWindowArgs args(principalInfo, cspInfos,
+  ClientOpenWindowArgs args(principalInfo, Some(cspInfo),
                             NS_ConvertUTF16toUTF8(aURL), baseURL);
 
   nsCOMPtr<nsIGlobalObject> global = mGlobal;
 
   StartClientManagerOp(
       &ClientManager::OpenWindow, args, mGlobal,
       [outerPromise, global](const ClientOpResult& aResult) {
         if (aResult.type() != ClientOpResult::TClientInfoAndState) {
--- a/dom/clients/manager/ClientIPCTypes.ipdlh
+++ b/dom/clients/manager/ClientIPCTypes.ipdlh
@@ -105,17 +105,17 @@ struct ClientGetInfoAndStateArgs
 {
   nsID id;
   PrincipalInfo principalInfo;
 };
 
 struct ClientOpenWindowArgs
 {
   PrincipalInfo principalInfo;
-  ContentSecurityPolicy[] cspInfos;
+  CSPInfo? cspInfo;
   nsCString url;
   nsCString baseURL;
 };
 
 union ClientOpConstructorArgs
 {
   ClientControlledArgs;
   ClientFocusArgs;
--- a/dom/clients/manager/ClientOpenWindowUtils.cpp
+++ b/dom/clients/manager/ClientOpenWindowUtils.cpp
@@ -166,42 +166,21 @@ nsresult OpenWindow(const ClientOpenWind
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return NS_ERROR_TYPE_ERR;
   }
 
   nsCOMPtr<nsIPrincipal> principal =
       PrincipalInfoToPrincipal(aArgs.principalInfo());
   MOZ_DIAGNOSTIC_ASSERT(principal);
 
-  // XXXckerschb: After Bug 965637 we have the CSP stored in the client which
-  // allows to clean that part up.
   nsCOMPtr<nsIContentSecurityPolicy> csp;
-  if (!aArgs.cspInfos().IsEmpty()) {
-    csp = new nsCSPContext();
-    csp->SetRequestContext(nullptr, principal);
-    for (const mozilla::ipc::ContentSecurityPolicy& policy : aArgs.cspInfos()) {
-      nsresult rv = csp->AppendPolicy(policy.policy(), policy.reportOnlyFlag(),
-                                      policy.deliveredViaMetaTagFlag());
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return rv;
-      }
-    }
+  if (aArgs.cspInfo().isSome()) {
+    csp = CSPInfoToCSP(aArgs.cspInfo().ref(), nullptr);
   }
 
-#ifdef DEBUG
-  if (principal && !principal->GetIsNullPrincipal()) {
-    // We do not serialize CSP for NullPricnipals as of now, for all others
-    // we make sure the CSP within the Principal and the explicit CSP are
-    // identical. After Bug 965637 we can remove that assertion anyway.
-    nsCOMPtr<nsIContentSecurityPolicy> principalCSP;
-    principal->GetCsp(getter_AddRefs(principalCSP));
-    MOZ_ASSERT(nsCSPContext::Equals(csp, principalCSP));
-  }
-#endif
-
   // [[6.1 Open Window]]
   if (XRE_IsContentProcess()) {
     // Let's create a sandbox in order to have a valid JSContext and correctly
     // propagate the SubjectPrincipal.
     AutoJSAPI jsapi;
     jsapi.Init();
 
     JSContext* cx = jsapi.cx();
--- a/dom/serviceworkers/ServiceWorkerPrivate.cpp
+++ b/dom/serviceworkers/ServiceWorkerPrivate.cpp
@@ -1730,32 +1730,35 @@ nsresult ServiceWorkerPrivate::SpawnWork
   info.mCookieSettings = mozilla::net::CookieSettings::Create();
   MOZ_ASSERT(info.mCookieSettings);
 
   info.mStorageAccess = nsContentUtils::StorageAllowedForServiceWorker(
       info.mPrincipal, info.mCookieSettings);
 
   info.mOriginAttributes = mInfo->GetOriginAttributes();
 
-  // Verify that we don't have any CSP on pristine principal.
+  // Verify that we don't have any CSP on pristine client.
 #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
   nsCOMPtr<nsIContentSecurityPolicy> csp;
-  Unused << info.mPrincipal->GetCsp(getter_AddRefs(csp));
+  if (info.mChannel) {
+    nsCOMPtr<nsILoadInfo> loadinfo = info.mChannel->LoadInfo();
+    csp = loadinfo->GetCsp();
+  }
   MOZ_DIAGNOSTIC_ASSERT(!csp);
 #endif
 
   // Default CSP permissions for now.  These will be overrided if necessary
   // based on the script CSP headers during load in ScriptLoader.
   info.mEvalAllowed = true;
   info.mReportCSPViolations = false;
 
   WorkerPrivate::OverrideLoadInfoLoadGroup(info, info.mPrincipal);
 
-  rv = info.SetPrincipalsOnMainThread(info.mPrincipal, info.mStoragePrincipal,
-                                      info.mLoadGroup);
+  rv = info.SetPrincipalsAndCSPOnMainThread(
+      info.mPrincipal, info.mStoragePrincipal, info.mLoadGroup, nullptr);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
   AutoJSAPI jsapi;
   jsapi.Init();
   ErrorResult error;
   NS_ConvertUTF8toUTF16 scriptSpec(mInfo->ScriptSpec());
--- a/dom/serviceworkers/ServiceWorkerRegistrar.cpp
+++ b/dom/serviceworkers/ServiceWorkerRegistrar.cpp
@@ -115,21 +115,18 @@ nsresult CreatePrincipalInfo(nsILineInpu
 
   nsCString origin;
   nsCString baseDomain;
   rv = GetOriginAndBaseDomain(aEntry->scope(), origin, baseDomain);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  // CSP will be applied during the script load.
-  nsTArray<mozilla::ipc::ContentSecurityPolicy> policies;
   aEntry->principal() = mozilla::ipc::ContentPrincipalInfo(
-      attrs, origin, aEntry->scope(), Nothing(), std::move(policies),
-      baseDomain);
+      attrs, origin, aEntry->scope(), Nothing(), baseDomain);
 
   return NS_OK;
 }
 
 }  // namespace
 
 NS_IMPL_ISUPPORTS(ServiceWorkerRegistrar, nsIObserver, nsIAsyncShutdownBlocker)
 
--- a/dom/serviceworkers/test/gtest/TestReadWrite.cpp
+++ b/dom/serviceworkers/test/gtest/TestReadWrite.cpp
@@ -278,20 +278,19 @@ TEST(ServiceWorkerRegistrar, TestWriteDa
 
       reg.currentWorkerInstalledTime() = PR_Now();
       reg.currentWorkerActivatedTime() = PR_Now();
       reg.lastUpdateTime() = PR_Now();
 
       nsAutoCString spec;
       spec.AppendPrintf("spec write %d", i);
 
-      nsTArray<mozilla::ipc::ContentSecurityPolicy> policies;
       reg.principal() = mozilla::ipc::ContentPrincipalInfo(
           mozilla::OriginAttributes(i % 2), spec, spec, mozilla::Nothing(),
-          std::move(policies), spec);
+          spec);
 
       swr->TestRegisterServiceWorker(reg);
     }
 
     nsresult rv = swr->TestWriteData();
     ASSERT_EQ(NS_OK, rv) << "WriteData() should not fail";
   }
 
@@ -883,20 +882,19 @@ TEST(ServiceWorkerRegistrar, TestDedupeW
       reg.cacheName() =
           NS_ConvertUTF8toUTF16(nsPrintfCString("cacheName write %d", i));
       reg.updateViaCache() =
           nsIServiceWorkerRegistrationInfo::UPDATE_VIA_CACHE_IMPORTS;
 
       nsAutoCString spec;
       spec.AppendPrintf("spec write dedupe/%d", i);
 
-      nsTArray<mozilla::ipc::ContentSecurityPolicy> policies;
       reg.principal() = mozilla::ipc::ContentPrincipalInfo(
           mozilla::OriginAttributes(false), spec, spec, mozilla::Nothing(),
-          std::move(policies), spec);
+          spec);
 
       swr->TestRegisterServiceWorker(reg);
     }
 
     nsresult rv = swr->TestWriteData();
     ASSERT_EQ(NS_OK, rv) << "WriteData() should not fail";
   }
 
--- a/dom/workers/ScriptLoader.cpp
+++ b/dom/workers/ScriptLoader.cpp
@@ -1177,17 +1177,17 @@ class ScriptLoaderRunnable final : publi
       NS_ENSURE_TRUE(mWorkerPrivate->FinalChannelPrincipalIsValid(channel),
                      NS_ERROR_FAILURE);
 
       // However, we must still override the principal since the nsIPrincipal
       // URL may be different due to same-origin redirects.  Unfortunately this
       // URL must exactly match the final worker script URL in order to
       // properly set the referrer header on fetch/xhr requests.  If bug 1340694
       // is ever fixed this can be removed.
-      rv = mWorkerPrivate->SetPrincipalsFromChannel(channel);
+      rv = mWorkerPrivate->SetPrincipalsAndCSPFromChannel(channel);
       NS_ENSURE_SUCCESS(rv, rv);
 
       nsCOMPtr<nsIContentSecurityPolicy> csp = mWorkerPrivate->GetCSP();
       // We did inherit CSP in bug 1223647. If we do not already have a CSP, we
       // should get it from the HTTP headers on the worker script.
       if (StaticPrefs::security_csp_enable()) {
         if (!csp) {
           rv = mWorkerPrivate->SetCSPFromHeaderValues(tCspHeaderValue,
@@ -1272,35 +1272,37 @@ class ScriptLoaderRunnable final : publi
       nsIPrincipal* principal = mWorkerPrivate->GetPrincipal();
       MOZ_DIAGNOSTIC_ASSERT(principal);
 
       bool equal = false;
       MOZ_ALWAYS_SUCCEEDS(responsePrincipal->Equals(principal, &equal));
       MOZ_DIAGNOSTIC_ASSERT(equal);
 
       nsCOMPtr<nsIContentSecurityPolicy> csp;
-      MOZ_ALWAYS_SUCCEEDS(responsePrincipal->GetCsp(getter_AddRefs(csp)));
+      if (parentDoc) {
+        csp = parentDoc->GetCsp();
+      }
       MOZ_DIAGNOSTIC_ASSERT(!csp);
 #endif
 
       mWorkerPrivate->InitChannelInfo(aChannelInfo);
 
       nsILoadGroup* loadGroup = mWorkerPrivate->GetLoadGroup();
       MOZ_DIAGNOSTIC_ASSERT(loadGroup);
 
       // Override the principal on the WorkerPrivate.  This is only necessary
       // in order to get a principal with exactly the correct URL.  The fetch
       // referrer logic depends on the WorkerPrivate principal having a URL
       // that matches the worker script URL.  If bug 1340694 is ever fixed
       // this can be removed.
       // XXX: force the storagePrincipal to be equal to the response one. This
       // is OK for now because we don't want to expose storagePrincipal
       // functionality in ServiceWorkers yet.
-      rv = mWorkerPrivate->SetPrincipalsOnMainThread(
-          responsePrincipal, responsePrincipal, loadGroup);
+      rv = mWorkerPrivate->SetPrincipalsAndCSPOnMainThread(
+          responsePrincipal, responsePrincipal, loadGroup, nullptr);
       MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
 
       rv = mWorkerPrivate->SetCSPFromHeaderValues(aCSPHeaderValue,
                                                   aCSPReportOnlyHeaderValue);
       MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
 
       mWorkerPrivate->SetReferrerPolicyFromHeaderValue(
           aReferrerPolicyHeaderValue);
@@ -1834,17 +1836,17 @@ class ChannelGetterRunnable final : publ
     mResult = workerinternals::ChannelFromScriptURLMainThread(
         mLoadInfo.mLoadingPrincipal, parentDoc, mLoadInfo.mLoadGroup, url,
         clientInfo,
         // Nested workers are always dedicated.
         nsIContentPolicy::TYPE_INTERNAL_WORKER, mLoadInfo.mCookieSettings,
         getter_AddRefs(channel));
     NS_ENSURE_SUCCESS(mResult, true);
 
-    mResult = mLoadInfo.SetPrincipalsFromChannel(channel);
+    mResult = mLoadInfo.SetPrincipalsAndCSPFromChannel(channel);
     NS_ENSURE_SUCCESS(mResult, true);
 
     mLoadInfo.mChannel = channel.forget();
     return true;
   }
 
   nsresult GetResult() const { return mResult; }
 
@@ -1881,16 +1883,20 @@ bool ScriptExecutorRunnable::PreRun(Work
 
   if (!aWorkerPrivate->GetJSContext()) {
     return false;
   }
 
   MOZ_ASSERT(mFirstIndex == 0);
   MOZ_ASSERT(!mScriptLoader.mRv.Failed());
 
+  // Move the CSP from the workerLoadInfo in the corresponding Client
+  // where the CSP code expects it!
+  aWorkerPrivate->StoreCSPOnClient();
+
   AutoJSAPI jsapi;
   jsapi.Init();
 
   WorkerGlobalScope* globalScope =
       aWorkerPrivate->GetOrCreateGlobalScope(jsapi.cx());
   if (NS_WARN_IF(!globalScope)) {
     NS_WARNING("Failed to make global!");
     // There's no way to report the exception on jsapi right now, because there
--- a/dom/workers/WorkerLoadInfo.cpp
+++ b/dom/workers/WorkerLoadInfo.cpp
@@ -3,16 +3,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "WorkerLoadInfo.h"
 #include "WorkerPrivate.h"
 
 #include "mozilla/BasePrincipal.h"
+#include "mozilla/dom/nsCSPUtils.h"
 #include "mozilla/dom/BrowserChild.h"
 #include "mozilla/ipc/BackgroundUtils.h"
 #include "mozilla/ipc/PBackgroundSharedTypes.h"
 #include "mozilla/LoadContext.h"
 #include "nsContentUtils.h"
 #include "nsIContentSecurityPolicy.h"
 #include "nsINetworkInterceptController.h"
 #include "nsIProtocolHandler.h"
@@ -88,40 +89,41 @@ WorkerLoadInfoData::WorkerLoadInfoData()
       mXHRParamsAllowed(false),
       mPrincipalIsSystem(false),
       mWatchedByDevtools(false),
       mStorageAccess(nsContentUtils::StorageAccess::eDeny),
       mFirstPartyStorageAccessGranted(false),
       mServiceWorkersTestingInWindow(false),
       mSecureContext(eNotSet) {}
 
-nsresult WorkerLoadInfo::SetPrincipalsOnMainThread(
+nsresult WorkerLoadInfo::SetPrincipalsAndCSPOnMainThread(
     nsIPrincipal* aPrincipal, nsIPrincipal* aStoragePrincipal,
-    nsILoadGroup* aLoadGroup) {
+    nsILoadGroup* aLoadGroup, nsIContentSecurityPolicy* aCsp) {
   AssertIsOnMainThread();
   MOZ_ASSERT(NS_LoadGroupMatchesPrincipal(aLoadGroup, aPrincipal));
 
   mPrincipal = aPrincipal;
   mStoragePrincipal = aStoragePrincipal;
   mPrincipalIsSystem = nsContentUtils::IsSystemPrincipal(aPrincipal);
 
-  nsresult rv = aPrincipal->GetCsp(getter_AddRefs(mCSP));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  mCSPInfos.Clear();
+  mCSP = aCsp;
 
   if (mCSP) {
     mCSP->GetAllowsEval(&mReportCSPViolations, &mEvalAllowed);
-    rv = PopulateContentSecurityPolicies(mCSP, mCSPInfos);
-    NS_ENSURE_SUCCESS(rv, rv);
   } else {
     mEvalAllowed = true;
     mReportCSPViolations = false;
   }
 
+  mCSPInfo = new CSPInfo();
+  nsresult rv = CSPToCSPInfo(aCsp, mCSPInfo);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
   mLoadGroup = aLoadGroup;
 
   mPrincipalInfo = new PrincipalInfo();
   mStoragePrincipalInfo = new PrincipalInfo();
   mOriginAttributes = nsContentUtils::GetOriginAttributes(aLoadGroup);
 
   rv = PrincipalToPrincipalInfo(aPrincipal, mPrincipalInfo);
   NS_ENSURE_SUCCESS(rv, rv);
@@ -219,28 +221,34 @@ nsresult WorkerLoadInfo::GetPrincipalsAn
 
   channelPrincipal.forget(aPrincipalOut);
   channelStoragePrincipal.forget(aStoragePrincipalOut);
   channelLoadGroup.forget(aLoadGroupOut);
 
   return NS_OK;
 }
 
-nsresult WorkerLoadInfo::SetPrincipalsFromChannel(nsIChannel* aChannel) {
+nsresult WorkerLoadInfo::SetPrincipalsAndCSPFromChannel(nsIChannel* aChannel) {
   AssertIsOnMainThread();
 
   nsCOMPtr<nsIPrincipal> principal;
   nsCOMPtr<nsIPrincipal> storagePrincipal;
   nsCOMPtr<nsILoadGroup> loadGroup;
   nsresult rv = GetPrincipalsAndLoadGroupFromChannel(
       aChannel, getter_AddRefs(principal), getter_AddRefs(storagePrincipal),
       getter_AddRefs(loadGroup));
   NS_ENSURE_SUCCESS(rv, rv);
 
-  return SetPrincipalsOnMainThread(principal, storagePrincipal, loadGroup);
+  nsCOMPtr<nsIContentSecurityPolicy> csp;
+  if (CSP_ShouldResponseInheritCSP(aChannel)) {
+    nsCOMPtr<nsILoadInfo> loadinfo = aChannel->LoadInfo();
+    csp = loadinfo->GetCsp();
+  }
+  return SetPrincipalsAndCSPOnMainThread(principal, storagePrincipal, loadGroup,
+                                         csp);
 }
 
 bool WorkerLoadInfo::FinalChannelPrincipalIsValid(nsIChannel* aChannel) {
   AssertIsOnMainThread();
 
   nsCOMPtr<nsIPrincipal> principal;
   nsCOMPtr<nsIPrincipal> storagePrincipal;
   nsCOMPtr<nsILoadGroup> loadGroup;
--- a/dom/workers/WorkerLoadInfo.h
+++ b/dom/workers/WorkerLoadInfo.h
@@ -26,18 +26,18 @@ class nsIRunnable;
 class nsIScriptContext;
 class nsIBrowserChild;
 class nsIURI;
 class nsPIDOMWindowInner;
 
 namespace mozilla {
 
 namespace ipc {
-class ContentSecurityPolicy;
 class PrincipalInfo;
+class CSPInfo;
 }  // namespace ipc
 
 namespace dom {
 
 class WorkerPrivate;
 
 struct WorkerLoadInfoData {
   // All of these should be released in
@@ -54,16 +54,23 @@ struct WorkerLoadInfoData {
   nsCOMPtr<nsIPrincipal> mStoragePrincipal;
 
   // Taken from the parent context.
   nsCOMPtr<nsICookieSettings> mCookieSettings;
 
   nsCOMPtr<nsIScriptContext> mScriptContext;
   nsCOMPtr<nsPIDOMWindowInner> mWindow;
   nsCOMPtr<nsIContentSecurityPolicy> mCSP;
+  // Thread boundaries require us to not only store a CSP object, but also a
+  // serialized version of the CSP. Reason being: Serializing a CSP to a CSPInfo
+  // needs to happen on the main thread, but storing the CSPInfo needs to happen
+  // on the worker thread. We move the CSPInfo into the Client within
+  // ScriptLoader::PreRun().
+  nsAutoPtr<mozilla::ipc::CSPInfo> mCSPInfo;
+
   nsCOMPtr<nsIChannel> mChannel;
   nsCOMPtr<nsILoadGroup> mLoadGroup;
 
   class InterfaceRequestor final : public nsIInterfaceRequestor {
     NS_DECL_ISUPPORTS
 
    public:
     InterfaceRequestor(nsIPrincipal* aPrincipal, nsILoadGroup* aLoadGroup);
@@ -93,18 +100,16 @@ struct WorkerLoadInfoData {
   // Only set if we have a custom overriden load group
   RefPtr<InterfaceRequestor> mInterfaceRequestor;
 
   nsAutoPtr<mozilla::ipc::PrincipalInfo> mPrincipalInfo;
   nsAutoPtr<mozilla::ipc::PrincipalInfo> mStoragePrincipalInfo;
   nsCString mDomain;
   nsString mOrigin;  // Derived from mPrincipal; can be used on worker thread.
 
-  nsTArray<mozilla::ipc::ContentSecurityPolicy> mCSPInfos;
-
   nsString mServiceWorkerCacheName;
   Maybe<ServiceWorkerDescriptor> mServiceWorkerDescriptor;
   Maybe<ServiceWorkerRegistrationDescriptor>
       mServiceWorkerRegistrationDescriptor;
 
   Maybe<ServiceWorkerDescriptor> mParentController;
 
   ChannelInfo mChannelInfo;
@@ -138,25 +143,26 @@ struct WorkerLoadInfoData {
 
 struct WorkerLoadInfo : WorkerLoadInfoData {
   WorkerLoadInfo();
   WorkerLoadInfo(WorkerLoadInfo&& aOther) noexcept;
   ~WorkerLoadInfo();
 
   WorkerLoadInfo& operator=(WorkerLoadInfo&& aOther) = default;
 
-  nsresult SetPrincipalsOnMainThread(nsIPrincipal* aPrincipal,
-                                     nsIPrincipal* aStoragePrincipal,
-                                     nsILoadGroup* aLoadGroup);
+  nsresult SetPrincipalsAndCSPOnMainThread(nsIPrincipal* aPrincipal,
+                                           nsIPrincipal* aStoragePrincipal,
+                                           nsILoadGroup* aLoadGroup,
+                                           nsIContentSecurityPolicy* aCSP);
 
   nsresult GetPrincipalsAndLoadGroupFromChannel(
       nsIChannel* aChannel, nsIPrincipal** aPrincipalOut,
       nsIPrincipal** aStoragePrincipalOut, nsILoadGroup** aLoadGroupOut);
 
-  nsresult SetPrincipalsFromChannel(nsIChannel* aChannel);
+  nsresult SetPrincipalsAndCSPFromChannel(nsIChannel* aChannel);
 
   bool FinalChannelPrincipalIsValid(nsIChannel* aChannel);
 
 #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
   bool PrincipalIsValid() const;
 
   bool PrincipalURIMatchesScriptURL();
 #endif
--- a/dom/workers/WorkerPrivate.cpp
+++ b/dom/workers/WorkerPrivate.cpp
@@ -24,16 +24,17 @@
 #include "mozilla/dom/DOMTypes.h"
 #include "mozilla/dom/Event.h"
 #include "mozilla/dom/FunctionBinding.h"
 #include "mozilla/dom/IndexedDatabaseManager.h"
 #include "mozilla/dom/MessageEvent.h"
 #include "mozilla/dom/MessageEventBinding.h"
 #include "mozilla/dom/MessagePort.h"
 #include "mozilla/dom/MessagePortBinding.h"
+#include "mozilla/dom/nsCSPContext.h"
 #include "mozilla/dom/nsCSPUtils.h"
 #include "mozilla/dom/Performance.h"
 #include "mozilla/dom/PerformanceStorageWorker.h"
 #include "mozilla/dom/PromiseDebugging.h"
 #include "mozilla/dom/RemoteWorkerChild.h"
 #include "mozilla/dom/WorkerBinding.h"
 #include "mozilla/ThreadEventQueue.h"
 #include "mozilla/ThrottledEventQueue.h"
@@ -1251,32 +1252,47 @@ Document* WorkerPrivate::GetDocument() c
 void WorkerPrivate::SetCSP(nsIContentSecurityPolicy* aCSP) {
   AssertIsOnMainThread();
   if (!aCSP) {
     return;
   }
   aCSP->EnsureEventTarget(mMainThreadEventTarget);
 
   mLoadInfo.mCSP = aCSP;
+  mLoadInfo.mCSPInfo = new CSPInfo();
+  nsresult rv = CSPToCSPInfo(mLoadInfo.mCSP, mLoadInfo.mCSPInfo);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return;
+  }
 }
 
 nsresult WorkerPrivate::SetCSPFromHeaderValues(
     const nsACString& aCSPHeaderValue,
     const nsACString& aCSPReportOnlyHeaderValue) {
   AssertIsOnMainThread();
   MOZ_DIAGNOSTIC_ASSERT(!mLoadInfo.mCSP);
 
+  if (nsContentUtils::IsSystemPrincipal(mLoadInfo.mPrincipal)) {
+    // After Bug 1496418 we can remove the early return and apply
+    // a CSP even when loading using a SystemPrincipal.
+    return NS_OK;
+  }
+
   NS_ConvertASCIItoUTF16 cspHeaderValue(aCSPHeaderValue);
   NS_ConvertASCIItoUTF16 cspROHeaderValue(aCSPReportOnlyHeaderValue);
 
-  nsCOMPtr<nsIContentSecurityPolicy> csp;
-  nsresult rv = mLoadInfo.mPrincipal->EnsureCSP(nullptr, getter_AddRefs(csp));
-  if (!csp) {
-    return NS_OK;
-  }
+  nsresult rv;
+  nsCOMPtr<nsIContentSecurityPolicy> csp = new nsCSPContext();
+
+  nsCOMPtr<nsIURI> selfURI;
+  mLoadInfo.mPrincipal->GetURI(getter_AddRefs(selfURI));
+
+  rv = csp->SetRequestContextWithPrincipal(mLoadInfo.mPrincipal, selfURI,
+                                           EmptyString(), 0);
+  NS_ENSURE_SUCCESS(rv, rv);
 
   csp->EnsureEventTarget(mMainThreadEventTarget);
 
   // If there's a CSP header, apply it.
   if (!cspHeaderValue.IsEmpty()) {
     rv = CSP_AppendCSPFromHeader(csp, cspHeaderValue, false);
     NS_ENSURE_SUCCESS(rv, rv);
   }
@@ -1291,19 +1307,31 @@ nsresult WorkerPrivate::SetCSPFromHeader
   bool reportEvalViolations = false;
   rv = csp->GetAllowsEval(&reportEvalViolations, &evalAllowed);
   NS_ENSURE_SUCCESS(rv, rv);
 
   mLoadInfo.mCSP = csp;
   mLoadInfo.mEvalAllowed = evalAllowed;
   mLoadInfo.mReportCSPViolations = reportEvalViolations;
 
+  mLoadInfo.mCSPInfo = new CSPInfo();
+  rv = CSPToCSPInfo(csp, mLoadInfo.mCSPInfo);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
   return NS_OK;
 }
 
+void WorkerPrivate::StoreCSPOnClient() {
+  MOZ_ACCESS_THREAD_BOUND(mWorkerThreadAccessible, data);
+  if (data->mClientSource) {
+    data->mClientSource->SetCspInfo(*mLoadInfo.mCSPInfo.get());
+  }
+}
+
 void WorkerPrivate::SetReferrerPolicyFromHeaderValue(
     const nsACString& aReferrerPolicyHeaderValue) {
   NS_ConvertUTF8toUTF16 headerValue(aReferrerPolicyHeaderValue);
 
   if (headerValue.IsEmpty()) {
     return;
   }
 
@@ -1926,25 +1954,25 @@ void WorkerPrivate::SetBaseURI(nsIURI* a
     mLocationInfo.mHost.Assign(host);
   } else {
     mLocationInfo.mHost.Assign(mLocationInfo.mHostname);
   }
 
   nsContentUtils::GetUTFOrigin(aBaseURI, mLocationInfo.mOrigin);
 }
 
-nsresult WorkerPrivate::SetPrincipalsOnMainThread(
+nsresult WorkerPrivate::SetPrincipalsAndCSPOnMainThread(
     nsIPrincipal* aPrincipal, nsIPrincipal* aStoragePrincipal,
-    nsILoadGroup* aLoadGroup) {
-  return mLoadInfo.SetPrincipalsOnMainThread(aPrincipal, aStoragePrincipal,
-                                             aLoadGroup);
+    nsILoadGroup* aLoadGroup, nsIContentSecurityPolicy* aCsp) {
+  return mLoadInfo.SetPrincipalsAndCSPOnMainThread(
+      aPrincipal, aStoragePrincipal, aLoadGroup, aCsp);
 }
 
-nsresult WorkerPrivate::SetPrincipalsFromChannel(nsIChannel* aChannel) {
-  return mLoadInfo.SetPrincipalsFromChannel(aChannel);
+nsresult WorkerPrivate::SetPrincipalsAndCSPFromChannel(nsIChannel* aChannel) {
+  return mLoadInfo.SetPrincipalsAndCSPFromChannel(aChannel);
 }
 
 bool WorkerPrivate::FinalChannelPrincipalIsValid(nsIChannel* aChannel) {
   return mLoadInfo.FinalChannelPrincipalIsValid(aChannel);
 }
 
 #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
 bool WorkerPrivate::PrincipalURIMatchesScriptURL() {
@@ -2572,17 +2600,17 @@ nsresult WorkerPrivate::GetLoadInfo(JSCo
         clientInfo, ContentPolicyType(aWorkerType), loadInfo.mCookieSettings,
         getter_AddRefs(loadInfo.mChannel));
     NS_ENSURE_SUCCESS(rv, rv);
 
     rv = NS_GetFinalChannelURI(loadInfo.mChannel,
                                getter_AddRefs(loadInfo.mResolvedScriptURI));
     NS_ENSURE_SUCCESS(rv, rv);
 
-    rv = loadInfo.SetPrincipalsFromChannel(loadInfo.mChannel);
+    rv = loadInfo.SetPrincipalsAndCSPFromChannel(loadInfo.mChannel);
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
   MOZ_DIAGNOSTIC_ASSERT(loadInfo.mLoadingPrincipal);
   MOZ_DIAGNOSTIC_ASSERT(loadInfo.PrincipalIsValid());
 
   *aLoadInfo = std::move(loadInfo);
   return NS_OK;
--- a/dom/workers/WorkerPrivate.h
+++ b/dom/workers/WorkerPrivate.h
@@ -678,24 +678,16 @@ class WorkerPrivate : public RelativeTim
   }
 
   bool UsesSystemPrincipal() const { return mLoadInfo.mPrincipalIsSystem; }
 
   const mozilla::ipc::PrincipalInfo& GetPrincipalInfo() const {
     return *mLoadInfo.mPrincipalInfo;
   }
 
-  // The CSPInfo returned is the same CSP as stored inside the Principal
-  // returned from GetPrincipalInfo. Please note that after Bug 965637
-  // we do not have a a CSP stored inside the Principal anymore which
-  // allows us to clean that part up.
-  const nsTArray<mozilla::ipc::ContentSecurityPolicy>& GetCSPInfos() const {
-    return mLoadInfo.mCSPInfos;
-  }
-
   const mozilla::ipc::PrincipalInfo& GetEffectiveStoragePrincipalInfo() const {
     return *mLoadInfo.mStoragePrincipalInfo;
   }
 
   already_AddRefed<nsIChannel> ForgetWorkerChannel() {
     AssertIsOnMainThread();
     return mLoadInfo.mChannel.forget();
   }
@@ -710,16 +702,22 @@ class WorkerPrivate : public RelativeTim
     return mLoadInfo.mCSP;
   }
 
   void SetCSP(nsIContentSecurityPolicy* aCSP);
 
   nsresult SetCSPFromHeaderValues(const nsACString& aCSPHeaderValue,
                                   const nsACString& aCSPReportOnlyHeaderValue);
 
+  void StoreCSPOnClient();
+
+  const mozilla::ipc::CSPInfo& GetCSPInfo() const {
+    return *mLoadInfo.mCSPInfo;
+  }
+
   void SetReferrerPolicyFromHeaderValue(
       const nsACString& aReferrerPolicyHeaderValue);
 
   net::ReferrerPolicy GetReferrerPolicy() const {
     return mLoadInfo.mReferrerPolicy;
   }
 
   void SetReferrerPolicy(net::ReferrerPolicy aReferrerPolicy) {
@@ -802,21 +800,22 @@ class WorkerPrivate : public RelativeTim
       already_AddRefed<nsIRunnable> aRunnable);
 
   bool ProxyReleaseMainThreadObjects();
 
   void GarbageCollect(bool aShrinking);
 
   void CycleCollect(bool aDummy);
 
-  nsresult SetPrincipalsOnMainThread(nsIPrincipal* aPrincipal,
-                                     nsIPrincipal* aStoragePrincipal,
-                                     nsILoadGroup* aLoadGroup);
+  nsresult SetPrincipalsAndCSPOnMainThread(nsIPrincipal* aPrincipal,
+                                           nsIPrincipal* aStoragePrincipal,
+                                           nsILoadGroup* aLoadGroup,
+                                           nsIContentSecurityPolicy* aCsp);
 
-  nsresult SetPrincipalsFromChannel(nsIChannel* aChannel);
+  nsresult SetPrincipalsAndCSPFromChannel(nsIChannel* aChannel);
 
   bool FinalChannelPrincipalIsValid(nsIChannel* aChannel);
 
 #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
   bool PrincipalURIMatchesScriptURL();
 #endif
 
   void UpdateOverridenLoadGroup(nsILoadGroup* aBaseLoadGroup);
--- a/dom/workers/remoteworkers/RemoteWorkerChild.cpp
+++ b/dom/workers/remoteworkers/RemoteWorkerChild.cpp
@@ -29,61 +29,16 @@ namespace mozilla {
 using namespace ipc;
 
 namespace dom {
 
 using workerinternals::ChannelFromScriptURLMainThread;
 
 namespace {
 
-nsresult PopulateContentSecurityPolicy(
-    nsIContentSecurityPolicy* aCSP,
-    const nsTArray<ContentSecurityPolicy>& aPolicies) {
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(aCSP);
-  MOZ_ASSERT(!aPolicies.IsEmpty());
-
-  for (const ContentSecurityPolicy& policy : aPolicies) {
-    nsresult rv = aCSP->AppendPolicy(policy.policy(), policy.reportOnlyFlag(),
-                                     policy.deliveredViaMetaTagFlag());
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  }
-
-  return NS_OK;
-}
-
-nsresult PopulatePrincipalContentSecurityPolicy(
-    nsIPrincipal* aPrincipal, const nsTArray<ContentSecurityPolicy>& aPolicies,
-    const nsTArray<ContentSecurityPolicy>& aPreloadPolicies) {
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(aPrincipal);
-
-  if (!aPolicies.IsEmpty()) {
-    nsCOMPtr<nsIContentSecurityPolicy> csp;
-    aPrincipal->EnsureCSP(nullptr, getter_AddRefs(csp));
-    nsresult rv = PopulateContentSecurityPolicy(csp, aPolicies);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  }
-
-  if (!aPreloadPolicies.IsEmpty()) {
-    nsCOMPtr<nsIContentSecurityPolicy> preloadCsp;
-    aPrincipal->EnsurePreloadCSP(nullptr, getter_AddRefs(preloadCsp));
-    nsresult rv = PopulateContentSecurityPolicy(preloadCsp, aPreloadPolicies);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  }
-
-  return NS_OK;
-}
-
 class SharedWorkerInterfaceRequestor final : public nsIInterfaceRequestor {
  public:
   NS_DECL_ISUPPORTS
 
   SharedWorkerInterfaceRequestor() {
     // This check must match the code nsDocShell::Create.
     if (!ServiceWorkerParentInterceptEnabled() || XRE_IsParentProcess()) {
       mSWController = new ServiceWorkerInterceptController();
@@ -238,48 +193,28 @@ nsresult RemoteWorkerChild::ExecWorkerOn
   nsresult rv = NS_OK;
 
   nsCOMPtr<nsIPrincipal> principal =
       PrincipalInfoToPrincipal(aData.principalInfo(), &rv);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  rv = PopulatePrincipalContentSecurityPolicy(principal, aData.principalCsp(),
-                                              aData.principalPreloadCsp());
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
   nsCOMPtr<nsIPrincipal> loadingPrincipal =
       PrincipalInfoToPrincipal(aData.loadingPrincipalInfo(), &rv);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  rv = PopulatePrincipalContentSecurityPolicy(
-      loadingPrincipal, aData.loadingPrincipalCsp(),
-      aData.loadingPrincipalPreloadCsp());
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
   nsCOMPtr<nsIPrincipal> storagePrincipal =
       PrincipalInfoToPrincipal(aData.storagePrincipalInfo(), &rv);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  rv = PopulatePrincipalContentSecurityPolicy(
-      storagePrincipal, aData.storagePrincipalCsp(),
-      aData.storagePrincipalPreloadCsp());
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
   WorkerLoadInfo info;
   info.mBaseURI = DeserializeURI(aData.baseScriptURL());
   info.mResolvedScriptURI = DeserializeURI(aData.resolvedScriptURL());
 
   info.mPrincipalInfo = new PrincipalInfo(aData.principalInfo());
   info.mStoragePrincipalInfo = new PrincipalInfo(aData.storagePrincipalInfo());
 
   info.mDomain = aData.domain();
@@ -300,25 +235,38 @@ nsresult RemoteWorkerChild::ExecWorkerOn
                             : WorkerLoadInfo::eInsecureContext;
 
   WorkerPrivate::OverrideLoadInfoLoadGroup(info, info.mLoadingPrincipal);
 
   RefPtr<SharedWorkerInterfaceRequestor> requestor =
       new SharedWorkerInterfaceRequestor();
   info.mInterfaceRequestor->SetOuterRequestor(requestor);
 
-  rv = info.SetPrincipalsOnMainThread(info.mPrincipal, info.mStoragePrincipal,
-                                      info.mLoadGroup);
+  Maybe<ClientInfo> clientInfo;
+  if (aData.clientInfo().isSome()) {
+    clientInfo.emplace(ClientInfo(aData.clientInfo().ref()));
+  }
+
+  if (clientInfo.isSome()) {
+    Maybe<mozilla::ipc::CSPInfo> cspInfo = clientInfo.ref().GetCspInfo();
+    if (cspInfo.isSome()) {
+      info.mCSP = CSPInfoToCSP(cspInfo.ref(), nullptr);
+    }
+  }
+
+  info.mCSPInfo = new CSPInfo();
+  rv = CSPToCSPInfo(info.mCSP, info.mCSPInfo);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  Maybe<ClientInfo> clientInfo;
-  if (aData.clientInfo().isSome()) {
-    clientInfo.emplace(ClientInfo(aData.clientInfo().ref()));
+  rv = info.SetPrincipalsAndCSPOnMainThread(
+      info.mPrincipal, info.mStoragePrincipal, info.mLoadGroup, info.mCSP);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
   }
 
   // Top level workers' main script use the document charset for the script
   // uri encoding.
   rv = ChannelFromScriptURLMainThread(
       info.mLoadingPrincipal, nullptr /* parent document */, info.mLoadGroup,
       info.mResolvedScriptURI, clientInfo,
       aData.isSharedWorker() ? nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER
--- a/dom/workers/remoteworkers/RemoteWorkerTypes.ipdlh
+++ b/dom/workers/remoteworkers/RemoteWorkerTypes.ipdlh
@@ -26,26 +26,18 @@ struct RemoteWorkerData
   // seconds to actually load it; so it's possible to still fail to load the
   // blob URL if it takes too long to do the round trip.
   URIParams baseScriptURL;
   URIParams resolvedScriptURL;
 
   nsString name;
 
   PrincipalInfo loadingPrincipalInfo;
-  ContentSecurityPolicy[] loadingPrincipalCsp;
-  ContentSecurityPolicy[] loadingPrincipalPreloadCsp;
-
   PrincipalInfo principalInfo;
-  ContentSecurityPolicy[] principalCsp;
-  ContentSecurityPolicy[] principalPreloadCsp;
-
   PrincipalInfo storagePrincipalInfo;
-  ContentSecurityPolicy[] storagePrincipalCsp;
-  ContentSecurityPolicy[] storagePrincipalPreloadCsp;
 
   nsCString domain;
 
   bool isSecureContext;
 
   IPCClientInfo? clientInfo;
 
   StorageAccess storageAccess;
--- a/dom/workers/sharedworkers/SharedWorker.cpp
+++ b/dom/workers/sharedworkers/SharedWorker.cpp
@@ -7,17 +7,16 @@
 #include "SharedWorker.h"
 
 #include "mozilla/AsyncEventDispatcher.h"
 #include "mozilla/EventDispatcher.h"
 #include "mozilla/dom/ClientInfo.h"
 #include "mozilla/dom/Event.h"
 #include "mozilla/dom/MessageChannel.h"
 #include "mozilla/dom/MessagePort.h"
-#include "mozilla/dom/nsCSPUtils.h"
 #include "mozilla/dom/PMessagePort.h"
 #include "mozilla/dom/RemoteWorkerTypes.h"
 #include "mozilla/dom/SharedWorkerBinding.h"
 #include "mozilla/dom/SharedWorkerChild.h"
 #include "mozilla/dom/WorkerBinding.h"
 #include "mozilla/dom/WorkerLoadInfo.h"
 #include "mozilla/dom/WorkerPrivate.h"
 #include "mozilla/ipc/BackgroundChild.h"
@@ -31,55 +30,16 @@
 #ifdef XP_WIN
 #  undef PostMessage
 #endif
 
 using namespace mozilla;
 using namespace mozilla::dom;
 using namespace mozilla::ipc;
 
-namespace {
-
-nsresult PopulateContentSecurityPolicyArray(
-    nsIPrincipal* aPrincipal, nsTArray<ContentSecurityPolicy>& policies,
-    nsTArray<ContentSecurityPolicy>& preloadPolicies) {
-  MOZ_ASSERT(aPrincipal);
-  MOZ_ASSERT(policies.IsEmpty());
-  MOZ_ASSERT(preloadPolicies.IsEmpty());
-
-  nsCOMPtr<nsIContentSecurityPolicy> csp;
-  nsresult rv = BasePrincipal::Cast(aPrincipal)->GetCsp(getter_AddRefs(csp));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
-  if (csp) {
-    rv = PopulateContentSecurityPolicies(csp, policies);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  }
-
-  rv = BasePrincipal::Cast(aPrincipal)->GetPreloadCsp(getter_AddRefs(csp));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
-  if (csp) {
-    rv = PopulateContentSecurityPolicies(csp, preloadPolicies);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  }
-
-  return NS_OK;
-}
-
-}  // namespace
-
 SharedWorker::SharedWorker(nsPIDOMWindowInner* aWindow,
                            SharedWorkerChild* aActor, MessagePort* aMessagePort)
     : DOMEventTargetHelper(aWindow),
       mWindow(aWindow),
       mActor(aActor),
       mMessagePort(aMessagePort),
       mFrozen(false) {
   AssertIsOnMainThread();
@@ -147,40 +107,23 @@ already_AddRefed<SharedWorker> SharedWor
   }
 
   PrincipalInfo principalInfo;
   aRv = PrincipalToPrincipalInfo(loadInfo.mPrincipal, &principalInfo);
   if (NS_WARN_IF(aRv.Failed())) {
     return nullptr;
   }
 
-  nsTArray<ContentSecurityPolicy> principalCSP;
-  nsTArray<ContentSecurityPolicy> principalPreloadCSP;
-  aRv = PopulateContentSecurityPolicyArray(loadInfo.mPrincipal, principalCSP,
-                                           principalPreloadCSP);
-  if (NS_WARN_IF(aRv.Failed())) {
-    return nullptr;
-  }
-
   PrincipalInfo loadingPrincipalInfo;
   aRv = PrincipalToPrincipalInfo(loadInfo.mLoadingPrincipal,
                                  &loadingPrincipalInfo);
   if (NS_WARN_IF(aRv.Failed())) {
     return nullptr;
   }
 
-  nsTArray<ContentSecurityPolicy> loadingPrincipalCSP;
-  nsTArray<ContentSecurityPolicy> loadingPrincipalPreloadCSP;
-  aRv = PopulateContentSecurityPolicyArray(loadInfo.mLoadingPrincipal,
-                                           loadingPrincipalCSP,
-                                           loadingPrincipalPreloadCSP);
-  if (NS_WARN_IF(aRv.Failed())) {
-    return nullptr;
-  }
-
   // Here, the StoragePrincipal is always equal to the SharedWorker's principal
   // because the channel is not opened yet, and, because of this, it's not
   // classified. We need to force the correct originAttributes.
   if (storageAllowed == nsContentUtils::StorageAccess::ePartitionedOrDeny) {
     nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(window);
     if (!sop) {
       aRv.Throw(NS_ERROR_FAILURE);
       return nullptr;
@@ -213,25 +156,16 @@ already_AddRefed<SharedWorker> SharedWor
   } else {
     aRv = PrincipalToPrincipalInfo(loadInfo.mStoragePrincipal,
                                    &storagePrincipalInfo);
     if (NS_WARN_IF(aRv.Failed())) {
       return nullptr;
     }
   }
 
-  nsTArray<ContentSecurityPolicy> storagePrincipalCSP;
-  nsTArray<ContentSecurityPolicy> storagePrincipalPreloadCSP;
-  aRv = PopulateContentSecurityPolicyArray(loadInfo.mStoragePrincipal,
-                                           storagePrincipalCSP,
-                                           storagePrincipalPreloadCSP);
-  if (NS_WARN_IF(aRv.Failed())) {
-    return nullptr;
-  }
-
   // We don't actually care about this MessageChannel, but we use it to 'steal'
   // its 2 connected ports.
   nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(window);
   RefPtr<MessageChannel> channel = MessageChannel::Constructor(global, aRv);
   if (NS_WARN_IF(aRv.Failed())) {
     return nullptr;
   }
 
@@ -252,20 +186,19 @@ already_AddRefed<SharedWorker> SharedWor
   Maybe<IPCClientInfo> ipcClientInfo;
   Maybe<ClientInfo> clientInfo = window->GetClientInfo();
   if (clientInfo.isSome()) {
     ipcClientInfo.emplace(clientInfo.value().ToIPC());
   }
 
   RemoteWorkerData remoteWorkerData(
       nsString(aScriptURL), baseURL, resolvedScriptURL, name,
-      loadingPrincipalInfo, loadingPrincipalCSP, loadingPrincipalPreloadCSP,
-      principalInfo, principalCSP, principalPreloadCSP, storagePrincipalInfo,
-      storagePrincipalCSP, storagePrincipalPreloadCSP, loadInfo.mDomain,
-      isSecureContext, ipcClientInfo, storageAllowed, true /* sharedWorker */);
+      loadingPrincipalInfo, principalInfo, storagePrincipalInfo,
+      loadInfo.mDomain, isSecureContext, ipcClientInfo, storageAllowed,
+      true /* sharedWorker */);
 
   PSharedWorkerChild* pActor = actorChild->SendPSharedWorkerConstructor(
       remoteWorkerData, loadInfo.mWindowID, portIdentifier);
 
   RefPtr<SharedWorkerChild> actor = static_cast<SharedWorkerChild*>(pActor);
   MOZ_ASSERT(actor);
 
   RefPtr<SharedWorker> sharedWorker =
--- a/dom/workers/sharedworkers/SharedWorkerService.cpp
+++ b/dom/workers/sharedworkers/SharedWorkerService.cpp
@@ -20,61 +20,16 @@ namespace dom {
 namespace {
 
 StaticMutex sSharedWorkerMutex;
 
 // Raw pointer because SharedWorkerParent keeps this object alive, indirectly
 // via SharedWorkerManagerHolder.
 SharedWorkerService* MOZ_NON_OWNING_REF sSharedWorkerService;
 
-nsresult PopulateContentSecurityPolicy(
-    nsIContentSecurityPolicy* aCSP,
-    const nsTArray<ContentSecurityPolicy>& aPolicies) {
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(aCSP);
-  MOZ_ASSERT(!aPolicies.IsEmpty());
-
-  for (const ContentSecurityPolicy& policy : aPolicies) {
-    nsresult rv = aCSP->AppendPolicy(policy.policy(), policy.reportOnlyFlag(),
-                                     policy.deliveredViaMetaTagFlag());
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  }
-
-  return NS_OK;
-}
-
-nsresult PopulatePrincipalContentSecurityPolicy(
-    nsIPrincipal* aPrincipal, const nsTArray<ContentSecurityPolicy>& aPolicies,
-    const nsTArray<ContentSecurityPolicy>& aPreloadPolicies) {
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(aPrincipal);
-
-  if (!aPolicies.IsEmpty()) {
-    nsCOMPtr<nsIContentSecurityPolicy> csp;
-    aPrincipal->EnsureCSP(nullptr, getter_AddRefs(csp));
-    nsresult rv = PopulateContentSecurityPolicy(csp, aPolicies);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  }
-
-  if (!aPreloadPolicies.IsEmpty()) {
-    nsCOMPtr<nsIContentSecurityPolicy> preloadCsp;
-    aPrincipal->EnsurePreloadCSP(nullptr, getter_AddRefs(preloadCsp));
-    nsresult rv = PopulateContentSecurityPolicy(preloadCsp, aPreloadPolicies);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  }
-
-  return NS_OK;
-}
-
 class GetOrCreateWorkerManagerRunnable final : public Runnable {
  public:
   GetOrCreateWorkerManagerRunnable(SharedWorkerService* aService,
                                    SharedWorkerParent* aActor,
                                    const RemoteWorkerData& aData,
                                    uint64_t aWindowID,
                                    const MessagePortIdentifier& aPortIdentifier)
       : Runnable("GetOrCreateWorkerManagerRunnable"),
@@ -231,24 +186,16 @@ void SharedWorkerService::GetOrCreateWor
 
   nsCOMPtr<nsIPrincipal> loadingPrincipal =
       PrincipalInfoToPrincipal(aData.loadingPrincipalInfo(), &rv);
   if (NS_WARN_IF(!loadingPrincipal)) {
     ErrorPropagationOnMainThread(aBackgroundEventTarget, aActor, rv);
     return;
   }
 
-  rv = PopulatePrincipalContentSecurityPolicy(
-      loadingPrincipal, aData.loadingPrincipalCsp(),
-      aData.loadingPrincipalPreloadCsp());
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    ErrorPropagationOnMainThread(aBackgroundEventTarget, aActor, rv);
-    return;
-  }
-
   RefPtr<SharedWorkerManagerHolder> managerHolder;
 
   // Let's see if there is already a SharedWorker to share.
   nsCOMPtr<nsIURI> resolvedScriptURL =
       DeserializeURI(aData.resolvedScriptURL());
   for (SharedWorkerManager* workerManager : mWorkerManagers) {
     managerHolder = workerManager->MatchOnMainThread(
         this, aData.domain(), resolvedScriptURL, aData.name(), loadingPrincipal,