Bug 1165272 - Part 2: Replace getNoAppCodebasePrincipal. r=bholley
authorYoshi Huang <allstars.chh@mozilla.com>
Mon, 24 Aug 2015 01:18:00 -0400
changeset 259013 8d116b0d696f461cd63840f1dd21430b47e740a5
parent 259012 8b37e978d6078937778b05febdb787d6313b1e2f
child 259014 2bd4cb790c48d3f6d3da0ea9b03ce5cfb40e6b46
push id29268
push userryanvm@gmail.com
push dateTue, 25 Aug 2015 00:37:23 +0000
treeherdermozilla-central@08015770c9d6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbholley
bugs1165272
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1165272 - Part 2: Replace getNoAppCodebasePrincipal. r=bholley
browser/base/content/aboutSocialError.xhtml
browser/base/content/test/general/browser_offlineQuotaNotification.js
browser/base/content/test/general/browser_sanitizeDialog.js
browser/base/content/test/general/test_offlineNotification.html
browser/base/content/test/general/test_offline_gzip.html
browser/base/content/test/newtab/head.js
browser/components/feeds/FeedConverter.js
browser/components/preferences/aboutPermissions.js
browser/components/preferences/permissions.js
browser/components/preferences/tests/browser_permissions.js
browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
browser/extensions/pdfjs/content/PdfStreamConverter.jsm
browser/extensions/shumway/chrome/SpecialStorage.jsm
browser/modules/Feeds.jsm
caps/nsIScriptSecurityManager.idl
dom/cache/test/mochitest/test_chrome_constructor.html
dom/indexedDB/test/head.js
dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
dom/indexedDB/test/unit/test_idle_maintenance.js
dom/indexedDB/test/unit/test_metadataRestore.js
dom/indexedDB/test/unit/test_open_for_principal.js
dom/indexedDB/test/unit/test_temporary_storage.js
dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
extensions/cookie/nsPermission.cpp
extensions/cookie/nsPermissionManager.cpp
extensions/cookie/test/unit/test_permmanager_defaults.js
extensions/cookie/test/unit/test_permmanager_expiration.js
extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
extensions/cookie/test/unit/test_permmanager_idn.js
extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
extensions/cookie/test/unit/test_permmanager_local_files.js
extensions/cookie/test/unit/test_permmanager_matches.js
extensions/cookie/test/unit/test_permmanager_matchesuri.js
extensions/cookie/test/unit/test_permmanager_notifications.js
extensions/cookie/test/unit/test_permmanager_removesince.js
extensions/cookie/test/unit/test_permmanager_subdomains.js
extensions/cookie/test/unit_ipc/test_child.js
extensions/cookie/test/unit_ipc/test_parent.js
gfx/thebes/gfxSVGGlyphs.cpp
js/xpconnect/src/Sandbox.cpp
netwerk/test/unit/test_auth_dialog_permission.js
netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
netwerk/test/unit/test_fallback_no-cache-entry_passing.js
netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
netwerk/test/unit/test_fallback_request-error_canceled.js
netwerk/test/unit/test_fallback_request-error_passing.js
netwerk/test/unit/test_fallback_response-error_canceled.js
netwerk/test/unit/test_fallback_response-error_passing.js
netwerk/test/unit/test_offlinecache_custom-directory.js
netwerk/test/unit/test_packaged_app_service.js
netwerk/test/unit/test_packaged_app_service_paths.js
netwerk/test/unit/test_permmgr.js
services/sync/Weave.js
testing/mochitest/tests/Harness_sanity/test_bug816847.html
toolkit/components/downloads/ApplicationReputation.cpp
toolkit/components/downloads/test/unit/test_app_rep.js
toolkit/components/places/BookmarkJSONUtils.jsm
toolkit/components/places/nsLivemarkService.js
toolkit/components/social/SocialService.jsm
toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
toolkit/components/url-classifier/tests/unit/test_dbservice.js
toolkit/components/url-classifier/tests/unit/test_digest256.js
toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
toolkit/modules/NewTabUtils.jsm
toolkit/modules/PermissionsUtils.jsm
toolkit/webapps/NativeApp.jsm
uriloader/prefetch/nsOfflineCacheUpdateService.cpp
--- a/browser/base/content/aboutSocialError.xhtml
+++ b/browser/base/content/aboutSocialError.xhtml
@@ -50,17 +50,18 @@
       let mode = searchParams.get("mode");
       config.origin = searchParams.get("origin");
       let encodedURL = searchParams.get("url");
       let url = decodeURIComponent(encodedURL);
       // directory does not have origin set, in that case use the url origin for
       // the error message.
       if (!config.origin) {
         let URI = Services.io.newURI(url, null, null);
-        config.origin = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI).origin;
+        config.origin =
+          Services.scriptSecurityManager.createCodebasePrincipal(URI, {}).origin;
       }
 
       switch (mode) {
         case "compactInfo":
           document.getElementById("btnTryAgain").style.display = 'none';
           break;
         case "tryAgainOnly":
           //intentional fall-through
--- a/browser/base/content/test/general/browser_offlineQuotaNotification.js
+++ b/browser/base/content/test/general/browser_offlineQuotaNotification.js
@@ -6,17 +6,17 @@
 // Test offline quota warnings - must be run as a mochitest-browser test or
 // else the test runner gets in the way of notifications due to bug 857897.
 
 const URL = "http://mochi.test:8888/browser/browser/base/content/test/general/offlineQuotaNotification.html";
 
 registerCleanupFunction(function() {
   // Clean up after ourself
   let uri = Services.io.newURI(URL, null, null);
-  var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
   Services.perms.removeFromPrincipal(principal, "offline-app");
   Services.prefs.clearUserPref("offline-apps.quota.warn");
   Services.prefs.clearUserPref("offline-apps.allow_by_default");
 });
 
 // Check that the "preferences" UI is opened and showing which websites have
 // offline storage permissions - currently this is the "network" tab in the
 // "advanced" pane.
--- a/browser/base/content/test/general/browser_sanitizeDialog.js
+++ b/browser/base/content/test/general/browser_sanitizeDialog.js
@@ -559,17 +559,17 @@ var gAllTests = [
     var URL = "http://www.example.com";
 
     var ios = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService);
     var URI = ios.newURI(URL, null, null);
 
     var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
              .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.getNoAppCodebasePrincipal(URI);
+    var principal = sm.createCodebasePrincipal(URI, {});
 
     // Give www.example.com privileges to store offline data
     var pm = Cc["@mozilla.org/permissionmanager;1"]
              .getService(Ci.nsIPermissionManager);
     pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
     pm.addFromPrincipal(principal, "offline-app", Ci.nsIOfflineCacheUpdateService.ALLOW_NO_WARN);
 
     // Store something to the offline cache
@@ -629,17 +629,17 @@ var gAllTests = [
     var URL = "http://www.example.com";
 
     var ios = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService);
     var URI = ios.newURI(URL, null, null);
 
     var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
              .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.getNoAppCodebasePrincipal(URI);
+    var principal = sm.createCodebasePrincipal(URI, {});
 
     // Open the dialog
     let wh = new WindowHelper();
     wh.onload = function () {
       this.selectDuration(Sanitizer.TIMESPAN_EVERYTHING);
       // Show details
       this.toggleDetails();
       // Clear only offlineApps
--- a/browser/base/content/test/general/test_offlineNotification.html
+++ b/browser/base/content/test/general/test_offlineNotification.html
@@ -38,22 +38,20 @@ window.addEventListener("message", funct
       // Clean up after ourself
       var pm = Cc["@mozilla.org/permissionmanager;1"].
                getService(SpecialPowers.Ci.nsIPermissionManager);
       var ioService = Cc["@mozilla.org/network/io-service;1"]
                         .getService(SpecialPowers.Ci.nsIIOService);
       var uri1 = ioService.newURI(frames.testFrame.location, null, null);
       var uri2 = ioService.newURI(frames.testFrame3.location, null, null);
 
-      var principal1 = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(uri1);
-      var principal2 = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(uri2);
+      var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                  .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
+      var principal1 = ssm.createCodebasePrincipal(uri1, {});
+      var principal2 = ssm.createCodebasePrincipal(uri2, {});
 
       pm.removeFromPrincipal(principal1, "offline-app");
       pm.removeFromPrincipal(principal2, "offline-app");
 
       offlineByDefault.reset();
 
       SimpleTest.finish();
     }
--- a/browser/base/content/test/general/test_offline_gzip.html
+++ b/browser/base/content/test/general/test_offline_gzip.html
@@ -34,19 +34,19 @@ SimpleTest.waitForExplicitFinish();
 function finishTest() {
   // Clean up after ourselves.
   var Cc = SpecialPowers.Cc;
   var pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(SpecialPowers.Ci.nsIPermissionManager);
 
   var uri = Cc["@mozilla.org/network/io-service;1"].getService(SpecialPowers.Ci.nsIIOService)
               .newURI(window.frames[0].location, null, null);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                   .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
-                   .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   pm.removeFromPrincipal(principal, "offline-app");
 
   window.removeEventListener("message", handleMessageEvents, false);
 
   offlineByDefault.reset();
   SimpleTest.finish();  
 }
--- a/browser/base/content/test/newtab/head.js
+++ b/browser/base/content/test/newtab/head.js
@@ -13,17 +13,17 @@ Cu.import("resource:///modules/Directory
 Cu.import("resource://testing-common/PlacesTestUtils.jsm", tmp);
 Cc["@mozilla.org/moz/jssubscript-loader;1"]
   .getService(Ci.mozIJSSubScriptLoader)
   .loadSubScript("chrome://browser/content/sanitize.js", tmp);
 Cu.import("resource://gre/modules/Timer.jsm", tmp);
 let {Promise, NewTabUtils, Sanitizer, clearTimeout, setTimeout, DirectoryLinksProvider, PlacesTestUtils} = tmp;
 
 let uri = Services.io.newURI("about:newtab", null, null);
-let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
 
 let isMac = ("nsILocalFileMac" in Ci);
 let isLinux = ("@mozilla.org/gnome-gconf-service;1" in Cc);
 let isWindows = ("@mozilla.org/windows-registry-key;1" in Cc);
 let gWindow = window;
 
 // Default to dummy/empty directory links
 let gDirectorySource = 'data:application/json,{"test":1}';
--- a/browser/components/feeds/FeedConverter.js
+++ b/browser/components/feeds/FeedConverter.js
@@ -249,17 +249,17 @@ FeedConverter.prototype = {
         // page can access it.
         feedService.addFeedResult(result);
 
         // Now load the actual XUL document.
         var aboutFeedsURI = ios.newURI("about:feeds", null, null);
         chromeChannel = ios.newChannelFromURIWithLoadInfo(aboutFeedsURI, loadInfo);
         chromeChannel.originalURI = result.uri;
         chromeChannel.owner =
-          Services.scriptSecurityManager.getNoAppCodebasePrincipal(aboutFeedsURI);
+          Services.scriptSecurityManager.createCodebasePrincipal(aboutFeedsURI, {});
       } else {
         chromeChannel = ios.newChannelFromURIWithLoadInfo(result.uri, loadInfo);
       }
 
       chromeChannel.loadGroup = this._request.loadGroup;
       chromeChannel.asyncOpen(this._listener, null);
     }
     finally {
--- a/browser/components/preferences/aboutPermissions.js
+++ b/browser/components/preferences/aboutPermissions.js
@@ -492,17 +492,17 @@ let AboutPermissions = {
     gSitesStmt.params.limit = this.PLACES_SITES_LIMIT;
     gSitesStmt.executeAsync({
       handleResult: function(aResults) {
         AboutPermissions.startSitesListBatch();
         let row;
         while (row = aResults.getNextRow()) {
           let spec = row.getResultByName("url");
           let uri = NetUtil.newURI(spec);
-          let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+          let principal = gSecMan.createCodebasePrincipal(uri, {});
 
           AboutPermissions.addPrincipal(principal);
         }
         AboutPermissions.endSitesListBatch();
       },
       handleError: function(aError) {
         Cu.reportError("AboutPermissions: " + aError);
       },
@@ -543,33 +543,33 @@ let AboutPermissions = {
     let logins = Services.logins.getAllLogins();
     logins.forEach(function(aLogin) {
       if (itemCnt % this.LIST_BUILD_CHUNK == 0) {
         yield true;
       }
       try {
         // aLogin.hostname is a string in origin URL format (e.g. "http://foo.com")
         let uri = NetUtil.newURI(aLogin.hostname);
-        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+        let principal = gSecMan.createCodebasePrincipal(uri, {});
         this.addPrincipal(principal);
       } catch (e) {
         // newURI will throw for add-ons logins stored in chrome:// URIs
       }
       itemCnt++;
     }, this);
 
     let disabledHosts = Services.logins.getAllDisabledHosts();
     disabledHosts.forEach(function(aHostname) {
       if (itemCnt % this.LIST_BUILD_CHUNK == 0) {
         yield true;
       }
       try {
         // aHostname is a string in origin URL format (e.g. "http://foo.com")
         let uri = NetUtil.newURI(aHostname);
-        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+        let principal = gSecMan.createCodebasePrincipal(uri, {});
         this.addPrincipal(principal);
       } catch (e) {
         // newURI will throw for add-ons logins stored in chrome:// URIs
       }
       itemCnt++;
     }, this);
 
     let enumerator = Services.perms.enumerator;
--- a/browser/components/preferences/permissions.js
+++ b/browser/components/preferences/permissions.js
@@ -90,22 +90,22 @@ var gPermissionManager = {
       // help catch cases where the URI parser parsed something like
       // `localhost:8080` as having the scheme `localhost`, rather than being
       // an invalid URI. A canonical origin representation is required by the
       // permission manager for storage, so this won't prevent any valid
       // permissions from being entered by the user.
       let uri;
       try {
         uri = Services.io.newURI(input_url, null, null);
-        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
         // If we have ended up with an unknown scheme, the following will throw.
         principal.origin;
       } catch(ex) {
         uri = Services.io.newURI("http://" + input_url, null, null);
-        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
         // If we have ended up with an unknown scheme, the following will throw.
         principal.origin;
       }
     } catch(ex) {
       var message = this._bundle.getString("invalidURI");
       var title = this._bundle.getString("invalidURITitle");
       Services.prompt.alert(window, title, message);
       return;
--- a/browser/components/preferences/tests/browser_permissions.js
+++ b/browser/components/preferences/tests/browser_permissions.js
@@ -3,18 +3,20 @@
 
 Components.utils.import("resource://gre/modules/NetUtil.jsm");
 
 const ABOUT_PERMISSIONS_SPEC = "about:permissions";
 
 const TEST_URI_1 = NetUtil.newURI("http://mozilla.com/");
 const TEST_URI_2 = NetUtil.newURI("http://mozilla.org/");
 
-const TEST_PRINCIPAL_1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_1);
-const TEST_PRINCIPAL_2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_2);
+const TEST_PRINCIPAL_1 =
+  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_1, {});
+const TEST_PRINCIPAL_2 =
+  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_2, {});
 
 // values from DefaultPermissions object
 const PERM_UNKNOWN = 0;
 const PERM_ALLOW = 1;
 const PERM_DENY = 2;
 // cookie specific permissions
 const PERM_FIRST_PARTY_ONLY = 9;
 
--- a/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
+++ b/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
@@ -10,19 +10,19 @@
 // toolkit/devtools/server/tests/mochitest/test_css-logic-...something...html
 // test
 
 const TEST_URI_HTML = TEST_URL_ROOT + "doc_content_stylesheet.html";
 const TEST_URI_XUL = TEST_URL_ROOT + "doc_content_stylesheet.xul";
 const XUL_URI = Cc["@mozilla.org/network/io-service;1"]
                 .getService(Ci.nsIIOService)
                 .newURI(TEST_URI_XUL, null, null);
-const XUL_PRINCIPAL = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                        .getService(Ci.nsIScriptSecurityManager)
-                        .getNoAppCodebasePrincipal(XUL_URI);
+let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                            .getService(Ci.nsIScriptSecurityManager);
+const XUL_PRINCIPAL = ssm.createCodebasePrincipal(XUL_URI, {});
 
 add_task(function*() {
   info("Checking stylesheets on HTML document");
   yield addTab(TEST_URI_HTML);
   let target = getNode("#target");
 
   let {inspector} = yield openRuleView();
   yield selectNode("#target", inspector);
--- a/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
+++ b/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
@@ -990,24 +990,31 @@ PdfStreamConverter.prototype = {
     };
 
     // Keep the URL the same so the browser sees it as the same.
     channel.originalURI = aRequest.URI;
     channel.loadGroup = aRequest.loadGroup;
 
     // We can use resource principal when data is fetched by the chrome
     // e.g. useful for NoScript
-    var securityManager = Cc['@mozilla.org/scriptsecuritymanager;1']
-                          .getService(Ci.nsIScriptSecurityManager);
+    var ssm = Cc['@mozilla.org/scriptsecuritymanager;1']
+                .getService(Ci.nsIScriptSecurityManager);
     var uri = NetUtil.newURI(PDF_VIEWER_WEB_PAGE, null, null);
     // FF16 and below had getCodebasePrincipal, it was replaced by
     // getNoAppCodebasePrincipal (bug 758258).
-    var resourcePrincipal = 'getNoAppCodebasePrincipal' in securityManager ?
-                            securityManager.getNoAppCodebasePrincipal(uri) :
-                            securityManager.getCodebasePrincipal(uri);
+    // FF 43 added createCodebasePrincipal to replace getNoAppCodebasePrincipal
+    // (bug 1165272).
+    var resourcePrincipal
+    if ('createCodebasePrincipal' in ssm) {
+      resourcePrincipal = ssm.createCodebasePrincipal(uri, {});
+    } else if ('getNoAppCodebasePrincipal' in ssm) {
+      resourcePrincipal = ssm.getNoAppCodebasePrincipal(uri)
+    } else {
+      resourcePrincipal = ssm.getCodebasePrincipal(uri);
+    }
     aRequest.owner = resourcePrincipal;
     channel.asyncOpen(proxy, aContext);
   },
 
   // nsIRequestObserver::onStopRequest
   onStopRequest: function(aRequest, aContext, aStatusCode) {
     if (!this.dataListener) {
       // Do nothing
--- a/browser/extensions/shumway/chrome/SpecialStorage.jsm
+++ b/browser/extensions/shumway/chrome/SpecialStorage.jsm
@@ -17,19 +17,19 @@
 var EXPORTED_SYMBOLS = ['SpecialStorageUtils'];
 
 Components.utils.import('resource://gre/modules/Services.jsm');
 
 var SpecialStorageUtils = {
   createWrappedSpecialStorage: function (sandbox, swfUrl, privateBrowsing) {
     // Creating internal localStorage object based on url and privateBrowsing setting.
     var uri = Services.io.newURI(swfUrl, null, null);
-    var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                              .getService(Components.interfaces.nsIScriptSecurityManager)
-                              .getNoAppCodebasePrincipal(uri);
+    var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                                .getService(Components.interfaces.nsIScriptSecurityManager);
+    var principal = ssm.createCodebasePrincipal(uri, {});
     var dsm = Components.classes["@mozilla.org/dom/localStorage-manager;1"]
                                 .getService(Components.interfaces.nsIDOMStorageManager);
     var storage = dsm.createStorage(null, principal, privateBrowsing);
 
     // We will return object created in the sandbox/content, with some exposed
     // properties/methods, so we can send data between wrapped object and
     // and sandbox/content.
     var wrapper = Components.utils.cloneInto({
--- a/browser/modules/Feeds.jsm
+++ b/browser/modules/Feeds.jsm
@@ -61,17 +61,18 @@ this.Feeds = {
     if (!aIsFeed) {
       aIsFeed = (type == "application/rss+xml" ||
                  type == "application/atom+xml");
     }
 
     if (aIsFeed) {
       // re-create the principal as it may be a CPOW.
       let principalURI = BrowserUtils.makeURIFromCPOW(aPrincipal.URI);
-      let principalToCheck = Services.scriptSecurityManager.getNoAppCodebasePrincipal(principalURI);
+      let principalToCheck =
+        Services.scriptSecurityManager.createCodebasePrincipal(principalURI, {});
       try {
         BrowserUtils.urlSecurityCheck(aLink.href, principalToCheck,
                                       Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
         return type || "application/rss+xml";
       }
       catch(ex) {
       }
     }
--- a/caps/nsIScriptSecurityManager.idl
+++ b/caps/nsIScriptSecurityManager.idl
@@ -21,17 +21,17 @@ class DomainPolicyClone;
 }
 }
 %}
 
 [ptr] native JSContextPtr(JSContext);
 [ptr] native JSObjectPtr(JSObject);
 [ptr] native DomainPolicyClonePtr(mozilla::dom::DomainPolicyClone);
 
-[scriptable, uuid(73f92674-f59d-4c9b-a9b5-f7a3ae8ffa98)]
+[scriptable, uuid(6e8a4d1e-d9c6-4d86-bf53-d73f58f36148)]
 interface nsIScriptSecurityManager : nsISupports
 {
     /**
      * For each of these hooks returning NS_OK means 'let the action continue'.
      * Returning an error code means 'veto the action'. XPConnect will return
      * false to the js engine if the action is vetoed. The implementor of this
      * interface is responsible for setting a JS exception into the JSContext
      * if that is appropriate.
@@ -172,18 +172,20 @@ interface nsIScriptSecurityManager : nsI
      */
     nsIPrincipal getDocShellCodebasePrincipal(in nsIURI uri,
                                               in nsIDocShell docShell);
 
     /**
      * Returns a principal with that has the same origin as uri and is not part
      * of an appliction.
      * The returned principal will have appId = NO_APP_ID.
+     *
+     * @deprecated use createCodebasePrincipal instead.
      */
-    nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
+    [deprecated] nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
 
     /**
      * Legacy method for getting a principal with no origin attributes.
      *
      * @deprecated use createCodebasePrincipal instead.
      */
     [deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri);
 
--- a/dom/cache/test/mochitest/test_chrome_constructor.html
+++ b/dom/cache/test/mochitest/test_chrome_constructor.html
@@ -15,17 +15,17 @@
 
   SpecialPowers.pushPrefEnv({
     "set": [["dom.caches.enabled", true],
             ["dom.caches.testing.enabled", true]],
   }, function() {
     // attach to a different origin's CacheStorage
     var url = 'http://example.com/';
     var uri = Services.io.newURI(url, null, null);
-    var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+    var principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
     var storage = new CacheStorage('content', principal);
 
     // verify we can use the other origin's CacheStorage as normal
     var req = new Request('http://example.com/index.html');
     var res = new Response('hello world');
     var cache;
     storage.open('foo').then(function(c) {
       cache = c;
--- a/dom/indexedDB/test/head.js
+++ b/dom/indexedDB/test/head.js
@@ -111,45 +111,45 @@ function dispatchEvent(eventName)
 
 function setPermission(url, permission)
 {
   const nsIPermissionManager = Components.interfaces.nsIPermissionManager;
 
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   Components.classes["@mozilla.org/permissionmanager;1"]
             .getService(nsIPermissionManager)
             .addFromPrincipal(principal, permission,
                               nsIPermissionManager.ALLOW_ACTION);
 }
 
 function removePermission(url, permission)
 {
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   Components.classes["@mozilla.org/permissionmanager;1"]
             .getService(Components.interfaces.nsIPermissionManager)
             .removeFromPrincipal(principal, permission);
 }
 
 function getPermission(url, permission)
 {
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   return Components.classes["@mozilla.org/permissionmanager;1"]
                    .getService(Components.interfaces.nsIPermissionManager)
                    .testPermissionFromPrincipal(principal, permission);
 }
--- a/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
+++ b/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
@@ -85,24 +85,20 @@ function testSteps()
 
   let ssm = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                          .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
 
   function openDatabase(params) {
     let request;
     if ("url" in params) {
       let uri = ios.newURI(params.url, null, null);
-      let principal;
-      if ("appId" in params) {
-        principal =
-          ssm.createCodebasePrincipal(uri, {appId: params.appId,
-                                            inBrowser: params.inMozBrowser});
-      } else {
-        principal = ssm.getNoAppCodebasePrincipal(uri);
-      }
+      let principal =
+        ssm.createCodebasePrincipal(uri,
+                                    {appId: params.appId || ssm.NO_APPID,
+                                     inBrowser: params.inMozBrowser});
       if ("dbVersion" in params) {
         request = indexedDB.openForPrincipal(principal, params.dbName,
                                              params.dbVersion);
       } else {
         request = indexedDB.openForPrincipal(principal, params.dbName,
                                              params.dbOptions);
       }
     } else {
--- a/dom/indexedDB/test/unit/test_idle_maintenance.js
+++ b/dom/indexedDB/test/unit/test_idle_maintenance.js
@@ -5,19 +5,19 @@
 
 var testGenerator = testSteps();
 
 function testSteps()
 {
   let uri = Cc["@mozilla.org/network/io-service;1"].
             getService(Ci.nsIIOService).
             newURI("https://www.example.com", null, null);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
-                  getService(Ci.nsIScriptSecurityManager).
-                  getNoAppCodebasePrincipal(uri);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   info("Setting permissions");
 
   let permMgr =
     Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
   permMgr.add(uri, "indexedDB", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   info("Setting idle preferences to prevent real 'idle-daily' notification");
--- a/dom/indexedDB/test/unit/test_metadataRestore.js
+++ b/dom/indexedDB/test/unit/test_metadataRestore.js
@@ -62,17 +62,17 @@ function testSteps()
 
   let ssm = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                          .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
 
   function openDatabase(params) {
     let request;
     if ("url" in params) {
       let uri = ios.newURI(params.url, null, null);
-      let principal = ssm.getNoAppCodebasePrincipal(uri);
+      let principal = ssm.createCodebasePrincipal(uri, {});
       request = indexedDB.openForPrincipal(principal, params.dbName,
                                            params.dbOptions);
     } else {
       request = indexedDB.open(params.dbName, params.dbOptions);
     }
     return request;
   }
 
--- a/dom/indexedDB/test/unit/test_open_for_principal.js
+++ b/dom/indexedDB/test/unit/test_open_for_principal.js
@@ -43,19 +43,19 @@ function testSteps()
   request.onsuccess = grabEventAndContinueHandler;
   event = yield undefined;
 
   is(event.target.result, data.key, "Got correct key");
 
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI("http://appdata.example.com", null, null);
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                     .getService(Components.interfaces.nsIScriptSecurityManager)
-                     .getNoAppCodebasePrincipal(uri);
+  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                      .getService(Components.interfaces.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   request = indexedDB.openForPrincipal(principal, name, 1);
   request.onerror = errorHandler;
   request.onupgradeneeded = grabEventAndContinueHandler;
   request.onsuccess = grabEventAndContinueHandler;
   event = yield undefined;
 
   is(event.type, "upgradeneeded", "Got correct event type");
--- a/dom/indexedDB/test/unit/test_temporary_storage.js
+++ b/dom/indexedDB/test/unit/test_temporary_storage.js
@@ -29,19 +29,19 @@ function testSteps()
   function getSpec(index) {
     return "http://foo" + index + ".com";
   }
 
   function getPrincipal(url) {
     let uri = Cc["@mozilla.org/network/io-service;1"]
                 .getService(Ci.nsIIOService)
                 .newURI(url, null, null);
-    return Cc["@mozilla.org/scriptsecuritymanager;1"]
-             .getService(Ci.nsIScriptSecurityManager)
-             .getNoAppCodebasePrincipal(uri);
+    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                .getService(Ci.nsIScriptSecurityManager);
+    return ssm.createCodebasePrincipal(uri, {});
   }
 
   for (let temporary of [true, false]) {
     info("Testing '" + (temporary ? "temporary" : "default") + "' storage");
 
     setLimit(tempStorageLimitKB);
 
     clearAllDatabases(continueToNextStepSync);
--- a/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
+++ b/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
@@ -22,19 +22,19 @@ function make_uri(url) {
   var ios = Cc["@mozilla.org/network/io-service;1"].
             getService(Ci.nsIIOService);
   return ios.newURI(url, null, null);
 }
 
 // Ensure "fullscreen" permissions are not present on the test URI.
 var pm = Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
 var uri = make_uri("http://mochi.test:8888");
-var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                  .getService(Ci.nsIScriptSecurityManager)
-                  .getNoAppCodebasePrincipal(uri);
+var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                            .getService(Ci.nsIScriptSecurityManager);
+var principal = ssm.createCodebasePrincipal(uri, {});
 pm.removeFromPrincipal(principal, "fullscreen");
 
 SpecialPowers.pushPrefEnv({"set": [
   ['full-screen-api.enabled', true],
   ['full-screen-api.allow-trusted-requests-only', false],
   ['full-screen-api.transition-duration.enter', '0 0'],
   ['full-screen-api.transition-duration.leave', '0 0']
 ]}, setup);
--- a/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
+++ b/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
@@ -13,21 +13,21 @@ function startTest()
   var ios = Components.classes["@mozilla.org/network/io-service;1"]
     .getService(Components.interfaces.nsIIOService);
   var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
     .getService(Components.interfaces.nsIScriptSecurityManager);
   var dsm = Components.classes["@mozilla.org/dom/localStorage-manager;1"]
     .getService(Components.interfaces.nsIDOMStorageManager);
 
   var uri = ios.newURI(url, "", null);
-  var principal = ssm.getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
   var storage = dsm.createStorage(window, principal, "");
-  
+
   storage.setItem("chromekey", "chromevalue");
-  
+
   var aframe = document.getElementById("aframe");
   aframe.onload = function()
   {
     is(storage.getItem("chromekey"), "chromevalue");
     is(aframe.contentDocument.getElementById("data").innerHTML, "chromevalue");
     SimpleTest.finish();
   }
   aframe.src = "http://example.com/tests/dom/tests/mochitest/localstorage/frameChromeSlave.html";  
--- a/extensions/cookie/nsPermission.cpp
+++ b/extensions/cookie/nsPermission.cpp
@@ -2,17 +2,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsPermission.h"
 #include "nsContentUtils.h"
 #include "nsIClassInfoImpl.h"
 #include "nsIEffectiveTLDService.h"
-#include "nsIScriptSecurityManager.h"
 #include "mozilla/BasePrincipal.h"
 
 // nsPermission Implementation
 
 NS_IMPL_CLASSINFO(nsPermission, nullptr, 0, {0})
 NS_IMPL_ISUPPORTS_CI(nsPermission, nsIPermission)
 
 nsPermission::nsPermission(nsIPrincipal*    aPrincipal,
@@ -163,17 +162,14 @@ nsPermission::Matches(nsIPrincipal* aPri
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPermission::MatchesURI(nsIURI* aURI, bool aExactHost, bool* aMatches)
 {
   NS_ENSURE_ARG_POINTER(aURI);
 
-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
-
-  nsCOMPtr<nsIPrincipal> principal;
-  nsresult rv = secMan->GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
-  NS_ENSURE_SUCCESS(rv, rv);
+  mozilla::OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
 
   return Matches(principal, aExactHost, aMatches);
 }
--- a/extensions/cookie/nsPermissionManager.cpp
+++ b/extensions/cookie/nsPermissionManager.cpp
@@ -133,20 +133,22 @@ GetPrincipal(nsIURI* aURI, uint32_t aApp
 
   principal.forget(aPrincipal);
   return NS_OK;
 }
 
 nsresult
 GetPrincipal(nsIURI* aURI, nsIPrincipal** aPrincipal)
 {
-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
-
-  return secMan->GetNoAppCodebasePrincipal(aURI, aPrincipal);
+  mozilla::OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+
+  principal.forget(aPrincipal);
+  return NS_OK;
 }
 
 nsCString
 GetNextSubDomainForHost(const nsACString& aHost)
 {
   nsCOMPtr<nsIEffectiveTLDService> tldService =
     do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
   if (!tldService) {
--- a/extensions/cookie/test/unit/test_permmanager_defaults.js
+++ b/extensions/cookie/test/unit/test_permmanager_defaults.js
@@ -46,20 +46,21 @@ add_task(function* do_test() {
   // Set the preference used by the permission manager so the file is read.
   Services.prefs.setCharPref("permissions.manager.defaultsUrl", "file://" + file.path);
 
   // initialize the permission manager service - it will read that default.
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
 
   // test the default permission was applied.
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN);
-  let principalHttps = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_HTTPS);
-  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_2);
-  let principal3 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_3);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, {});
+  let principalHttps = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_HTTPS, {});
+  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_2, {});
+  let principal3 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, {});
+
   let attrs = {appId: 1000, inBrowser: true};
   let principal4 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, attrs);
   let principal5 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, attrs);
 
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principal, TEST_PERMISSION));
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principalHttps, TEST_PERMISSION));
@@ -218,17 +219,17 @@ function checkCapabilityViaDB(expected, 
   do_check();
   return deferred.promise;
 }
 
 // use the DB to find the requested permission.   Returns the permission
 // value (ie, the "capability" in nsIPermission parlance) or null if it can't
 // be found.
 function findCapabilityViaDB(origin = TEST_ORIGIN, type = TEST_PERMISSION) {
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(origin);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(origin, {});
   let originStr = principal.origin;
 
   let file = Services.dirsvc.get("ProfD", Ci.nsIFile);
   file.append("permissions.sqlite");
 
   let storage = Cc["@mozilla.org/storage/service;1"]
                   .getService(Ci.mozIStorageService);
 
--- a/extensions/cookie/test/unit/test_permmanager_expiration.js
+++ b/extensions/cookie/test/unit/test_permmanager_expiration.js
@@ -16,17 +16,17 @@ function continue_test()
 }
 
 function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
   let permURI = NetUtil.newURI("http://example.com");
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(permURI, {});
 
   let now = Number(Date.now());
 
   // add a permission with *now* expiration
   pm.addFromPrincipal(principal, "test/expiration-perm-exp", 1, pm.EXPIRE_TIME, now);
   pm.addFromPrincipal(principal, "test/expiration-session-exp", 1, pm.EXPIRE_SESSION, now);
 
   // add a permission with future expiration (100 milliseconds)
--- a/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
+++ b/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
@@ -1,15 +1,16 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
-function getPrincipalFromURI(uri) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
+function getPrincipalFromURI(aURI) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI(aURI);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function getSystemPrincipal() {
   return Cc["@mozilla.org/scriptsecuritymanager;1"]
            .getService(Ci.nsIScriptSecurityManager)
            .getSystemPrincipal();
 }
 
--- a/extensions/cookie/test/unit/test_permmanager_idn.js
+++ b/extensions/cookie/test/unit/test_permmanager_idn.js
@@ -1,15 +1,16 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 function getPrincipalFromDomain(aDomain) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI("http://" + aDomain));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://" + aDomain);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   let profile = do_get_profile();
   let pm = Services.perms;
   let perm = 'test-idn';
 
   // We create three principal linked to IDN.
@@ -40,9 +41,9 @@ function run_test() {
   do_check_eq(pm.testPermissionFromPrincipal(punyTldPrincipal, perm), pm.ALLOW_ACTION);
 
   // However, those two principals shouldn't be allowed because they are like
   // the IDN but without the UT8-8 characters.
   let witnessPrincipal = getPrincipalFromDomain("foo.com");
   do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
   witnessPrincipal = getPrincipalFromDomain("foo.bar.com");
   do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
-}
\ No newline at end of file
+}
--- a/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
+++ b/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
@@ -129,13 +129,14 @@ function run_test() {
     let thisModTime = select.getInt64(0);
     do_check_true(thisModTime == 0, "new modifiedTime field is correct");
     numMigrated += 1;
   }
   // check we found at least 1 record that was migrated.
   do_check_true(numMigrated > 0, "we found at least 1 record that was migrated");
 
   // This permission should always be there.
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.org"));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://example.org");
+  let principal = ssm.createCodebasePrincipal(uri, {});
   do_check_eq(pm.testPermissionFromPrincipal(principal, 'test-load-invalid-entries'), Ci.nsIPermissionManager.ALLOW_ACTION);
 }
--- a/extensions/cookie/test/unit/test_permmanager_local_files.js
+++ b/extensions/cookie/test/unit/test_permmanager_local_files.js
@@ -1,16 +1,17 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 // Test that permissions work for file:// URIs (aka local files).
 
 function getPrincipalFromURIString(uriStr)
 {
-  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(NetUtil.newURI(uriStr));
+  let uri = NetUtil.newURI(uriStr);
+  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   let pm = Services.perms;
 
   // If we add a permission to a file:// URI, the test should return true.
   let principal = getPrincipalFromURIString("file:///foo/bar");
   pm.addFromPrincipal(principal, "test/local-files", pm.ALLOW_ACTION, 0, 0);
--- a/extensions/cookie/test/unit/test_permmanager_matches.js
+++ b/extensions/cookie/test/unit/test_permmanager_matches.js
@@ -33,22 +33,22 @@ function run_test() {
   // Add some permissions
   let uri0 = NetUtil.newURI("http://google.com/search?q=foo#hashtag", null, null);
   let uri1 = NetUtil.newURI("http://hangouts.google.com/subdir", null, null);
   let uri2 = NetUtil.newURI("http://google.org/", null, null);
   let uri3 = NetUtil.newURI("https://google.com/some/random/subdirectory", null, null);
   let uri4 = NetUtil.newURI("https://hangouts.google.com/#!/hangout", null, null);
   let uri5 = NetUtil.newURI("http://google.com:8096/", null, null);
 
-  let uri0_n_n = secMan.getNoAppCodebasePrincipal(uri0);
-  let uri1_n_n = secMan.getNoAppCodebasePrincipal(uri1);
-  let uri2_n_n = secMan.getNoAppCodebasePrincipal(uri2);
-  let uri3_n_n = secMan.getNoAppCodebasePrincipal(uri3);
-  let uri4_n_n = secMan.getNoAppCodebasePrincipal(uri4);
-  let uri5_n_n = secMan.getNoAppCodebasePrincipal(uri5);
+  let uri0_n_n = secMan.createCodebasePrincipal(uri0, {});
+  let uri1_n_n = secMan.createCodebasePrincipal(uri1, {});
+  let uri2_n_n = secMan.createCodebasePrincipal(uri2, {});
+  let uri3_n_n = secMan.createCodebasePrincipal(uri3, {});
+  let uri4_n_n = secMan.createCodebasePrincipal(uri4, {});
+  let uri5_n_n = secMan.createCodebasePrincipal(uri5, {});
 
   let attrs = {appId: 1000};
   let uri0_1000_n = secMan.createCodebasePrincipal(uri0, attrs);
   let uri1_1000_n = secMan.createCodebasePrincipal(uri1, attrs);
   let uri2_1000_n = secMan.createCodebasePrincipal(uri2, attrs);
   let uri3_1000_n = secMan.createCodebasePrincipal(uri3, attrs);
   let uri4_1000_n = secMan.createCodebasePrincipal(uri4, attrs);
   let uri5_1000_n = secMan.createCodebasePrincipal(uri5, attrs);
--- a/extensions/cookie/test/unit/test_permmanager_matchesuri.js
+++ b/extensions/cookie/test/unit/test_permmanager_matchesuri.js
@@ -26,19 +26,18 @@ function mk_permission(uri, isAppPermiss
   let pm = Cc["@mozilla.org/permissionmanager;1"].
         getService(Ci.nsIPermissionManager);
 
   let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
         .getService(Ci.nsIScriptSecurityManager);
 
   // Get the permission from the principal!
   let attrs = {appId: 1000};
-  let principal = isAppPermission ?
-        secMan.createCodebasePrincipal(uri, attrs) :
-        secMan.getNoAppCodebasePrincipal(uri);
+  let principal =
+    secMan.createCodebasePrincipal(uri, isAppPermission ? attrs : {});
 
   pm.addFromPrincipal(principal, "test/matchesuri", pm.ALLOW_ACTION);
   let permission = pm.getPermissionObject(principal, "test/matchesuri", true);
 
   return permission;
 }
 
 function run_test() {
--- a/extensions/cookie/test/unit/test_permmanager_notifications.js
+++ b/extensions/cookie/test/unit/test_permmanager_notifications.js
@@ -18,19 +18,20 @@ function continue_test()
 
 function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
   let now = Number(Date.now());
   let permType = "test/expiration-perm";
-  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.com"));
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI("http://example.com");
+  let principal = ssm.createCodebasePrincipal(uri, {});
 
   let observer = new permission_observer(test_generator, now, permType);
   Services.obs.addObserver(observer, "perm-changed", false);
 
   // Add a permission, to test the 'add' notification. Note that we use
   // do_execute_soon() so that we can use our generator to continue the test
   // where we left off.
   do_execute_soon(function() {
--- a/extensions/cookie/test/unit/test_permmanager_removesince.js
+++ b/extensions/cookie/test/unit/test_permmanager_removesince.js
@@ -19,20 +19,20 @@ function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
 
   // to help with testing edge-cases, we will arrange for .removeAllSince to
   // remove *all* permissions from one principal and one permission from another.
   let permURI1 = NetUtil.newURI("http://example.com");
-  let principal1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI1);
+  let principal1 = Services.scriptSecurityManager.createCodebasePrincipal(permURI1, {});
 
   let permURI2 = NetUtil.newURI("http://example.org");
-  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI2);
+  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(permURI2, {});
 
   // add a permission now - this isn't going to be removed.
   pm.addFromPrincipal(principal1, "test/remove-since", 1);
 
   // sleep briefly, then record the time - we'll remove all since then.
   do_timeout(20, continue_test);
   yield;
 
--- a/extensions/cookie/test/unit/test_permmanager_subdomains.js
+++ b/extensions/cookie/test/unit/test_permmanager_subdomains.js
@@ -1,15 +1,16 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
-function getPrincipalFromURI(uri) {
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
+function getPrincipalFromURI(aURI) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let uri = NetUtil.newURI(aURI);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   var pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
 
   // Adds a permission to a sub-domain. Checks if it is working.
   let sub1Principal = getPrincipalFromURI("http://sub1.example.com");
@@ -48,9 +49,9 @@ function run_test() {
   // A sanity check that the previous implementation wasn't passing...
   let crazyPrincipal = getPrincipalFromURI("http://com");
   pm.addFromPrincipal(crazyPrincipal, "test/subdomains", pm.ALLOW_ACTION, 0, 0);
   do_check_eq(pm.testPermissionFromPrincipal(crazyPrincipal, "test/subdomains"),  pm.ALLOW_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(mainPrincipal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(sub1Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(sub2Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(subsubPrincipal, "test/subdomains"), pm.UNKNOWN_ACTION);
-}
\ No newline at end of file
+}
--- a/extensions/cookie/test/unit_ipc/test_child.js
+++ b/extensions/cookie/test/unit_ipc/test_child.js
@@ -7,19 +7,19 @@ var gIoService = Components.classes["@mo
 
 function isParentProcess() {
     let appInfo = Cc["@mozilla.org/xre/app-info;1"];
     return (!appInfo || appInfo.getService(Ci.nsIXULRuntime).processType == Ci.nsIXULRuntime.PROCESS_TYPE_DEFAULT);
 }
 
 function getPrincipalForURI(aURI) {
   var uri =  gIoService.newURI(aURI, null, null);
-  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                   .getService(Ci.nsIScriptSecurityManager)
-                   .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   if (!isParentProcess()) {
     const Ci = Components.interfaces;
     const Cc = Components.classes;
 
     var mM = Cc["@mozilla.org/childprocessmessagemanager;1"].
--- a/extensions/cookie/test/unit_ipc/test_parent.js
+++ b/extensions/cookie/test/unit_ipc/test_parent.js
@@ -7,19 +7,19 @@ var gIoService = Components.classes["@mo
 
 function isParentProcess() {
     let appInfo = Cc["@mozilla.org/xre/app-info;1"];
     return (!appInfo || appInfo.getService(Ci.nsIXULRuntime).processType == Ci.nsIXULRuntime.PROCESS_TYPE_DEFAULT);
 }
 
 function getPrincipalForURI(aURI) {
   var uri = gIoService.newURI(aURI, null, null);
-  return Cc["@mozilla.org/scriptsecuritymanager;1"]
-           .getService(Ci.nsIScriptSecurityManager)
-           .getNoAppCodebasePrincipal(uri);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 function run_test() {
   if (isParentProcess()) {
     var pm = Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
 
     // Permissions created before the child is present
     pm.addFromPrincipal(getPrincipalForURI("http://mozilla.org"), "cookie1", pm.ALLOW_ACTION, pm.EXPIRE_NEVER, 0);
--- a/gfx/thebes/gfxSVGGlyphs.cpp
+++ b/gfx/thebes/gfxSVGGlyphs.cpp
@@ -14,20 +14,20 @@
 #include "nsIStreamListener.h"
 #include "nsServiceManagerUtils.h"
 #include "nsIPresShell.h"
 #include "nsNetUtil.h"
 #include "nsIInputStream.h"
 #include "nsStringStream.h"
 #include "nsStreamUtils.h"
 #include "nsIPrincipal.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/LoadInfo.h"
 #include "nsSVGUtils.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsHostObjectProtocolHandler.h"
 #include "nsContentUtils.h"
 #include "gfxFont.h"
 #include "nsSMILAnimationController.h"
 #include "gfxContext.h"
 #include "gfxColor.h"
 #include "harfbuzz/hb.h"
 
@@ -343,19 +343,20 @@ gfxSVGGlyphsDocument::ParseDocument(cons
     nsCOMPtr<nsIURI> uri;
     nsHostObjectProtocolHandler::GenerateURIString(NS_LITERAL_CSTRING(FONTTABLEURI_SCHEME),
                                                    nullptr,
                                                    mSVGGlyphsDocumentURI);
  
     rv = NS_NewURI(getter_AddRefs(uri), mSVGGlyphsDocumentURI);
     NS_ENSURE_SUCCESS(rv, rv);
 
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+    NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
 
     nsCOMPtr<nsIDOMDocument> domDoc;
     rv = NS_NewDOMDocument(getter_AddRefs(domDoc),
                            EmptyString(),   // aNamespaceURI
                            EmptyString(),   // aQualifiedName
                            nullptr,          // aDoctype
                            uri, uri, principal,
                            false,           // aLoadedAsData
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@@ -11,17 +11,16 @@
 #include "AccessCheck.h"
 #include "jsfriendapi.h"
 #include "js/Proxy.h"
 #include "js/StructuredClone.h"
 #include "nsContentUtils.h"
 #include "nsGlobalWindow.h"
 #include "nsIScriptContext.h"
 #include "nsIScriptObjectPrincipal.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsIURI.h"
 #include "nsJSUtils.h"
 #include "nsNetUtil.h"
 #include "nsNullPrincipal.h"
 #include "nsPrincipal.h"
 #include "nsXMLHttpRequest.h"
 #include "WrapperFactory.h"
 #include "xpcprivate.h"
@@ -1188,25 +1187,25 @@ ParsePrincipal(JSContext* cx, HandleStri
     nsAutoJSString codebaseStr;
     NS_ENSURE_TRUE(codebaseStr.init(cx, codebase), false);
     nsresult rv = NS_NewURI(getter_AddRefs(uri), codebaseStr);
     if (NS_FAILED(rv)) {
         JS_ReportError(cx, "Creating URI from string failed");
         return false;
     }
 
-    nsCOMPtr<nsIScriptSecurityManager> secman =
-        do_GetService(kScriptSecurityManagerContractID);
-    NS_ENSURE_TRUE(secman, false);
-
     // We could allow passing in the app-id and browser-element info to the
     // sandbox constructor. But creating a sandbox based on a string is a
     // deprecated API so no need to add features to it.
-    rv = secman->GetNoAppCodebasePrincipal(uri, principal);
-    if (NS_FAILED(rv) || !*principal) {
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> prin =
+        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+    prin.forget(principal);
+
+    if (!*principal) {
         JS_ReportError(cx, "Creating Principal from URI failed");
         return false;
     }
     return true;
 }
 
 /*
  * For sandbox constructor the first argument can be a principal object or
--- a/netwerk/test/unit/test_auth_dialog_permission.js
+++ b/netwerk/test/unit/test_auth_dialog_permission.js
@@ -106,21 +106,20 @@ Requestor.prototype = {
 
 function make_uri(url) {
   var ios = Cc["@mozilla.org/network/io-service;1"].
               getService(Ci.nsIIOService);
   return ios.newURI(url, null, null);
 }
 
 function makeChan(loadingUrl, url, contentPolicy) {
-  var loadingUri = make_uri(loadingUrl);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(loadingUri);
-
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  var uri = make_uri(loadingUrl);
+  var principal = ssm.createCodebasePrincipal(uri, {});
   var ios = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService);
   var chan = ios.newChannel2(url,
                              null,
                              null,
                              null,
                              principal,
                              null,
--- a/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
@@ -67,20 +67,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
@@ -67,20 +67,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
@@ -75,20 +75,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, redirectHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
@@ -75,20 +75,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, redirectHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_request-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_request-error_canceled.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_request-error_passing.js
+++ b/netwerk/test/unit/test_fallback_request-error_passing.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_response-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_response-error_canceled.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, errorHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_response-error_passing.js
+++ b/netwerk/test/unit/test_fallback_response-error_passing.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, errorHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_offlinecache_custom-directory.js
+++ b/netwerk/test/unit/test_offlinecache_custom-directory.js
@@ -98,20 +98,20 @@ function run_test()
   httpServer.start(4444);
 
   var profileDir = do_get_profile();
   var customDir = profileDir.clone();
   customDir.append("customOfflineCacheDir" + Math.random());
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
+  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:4444");
-  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(uri);
+  var principal = ssm.createCodebasePrincipal(uri, {});
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_packaged_app_service.js
+++ b/netwerk/test/unit/test_packaged_app_service.js
@@ -55,20 +55,20 @@ function packagedAppContentHandler(metad
   if (packagedAppRequestsMade == 3) {
     // The third request returns a 200 OK response with a slightly different content
     body = body.replace(/\.\.\./g, 'xxx');
   }
   response.bodyOutputStream.write(body, body.length);
 }
 
 function getPrincipal(url) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   let uri = createURI(url);
-  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-         .getService(Ci.nsIScriptSecurityManager)
-         .getNoAppCodebasePrincipal(uri);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 // The package content
 // getData formats it as described at http://www.w3.org/TR/web-packaging/#streamable-package-format
 var testData = {
   content: [
    { headers: ["Content-Location: /index.html", "Content-Type: text/html"], data: "<html>\r\n  <head>\r\n    <script src=\"/scripts/app.js\"></script>\r\n    ...\r\n  </head>\r\n  ...\r\n</html>\r\n", type: "text/html" },
    { headers: ["Content-Location: /scripts/app.js", "Content-Type: text/javascript"], data: "module Math from '/scripts/helpers/math.js';\r\n...\r\n", type: "text/javascript" },
--- a/netwerk/test/unit/test_packaged_app_service_paths.js
+++ b/netwerk/test/unit/test_packaged_app_service_paths.js
@@ -7,20 +7,20 @@ function packagedAppContentHandler(metad
 {
   response.setHeader("Content-Type", 'application/package');
   var body = testData.getData();
   response.bodyOutputStream.write(body, body.length);
   gRequestNo++;
 }
 
 function getPrincipal(url) {
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
   let uri = createURI(url);
-  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-         .getService(Ci.nsIScriptSecurityManager)
-         .getNoAppCodebasePrincipal(uri);
+  return ssm.createCodebasePrincipal(uri, {});
 }
 
 var subresourcePaths = [
   [ "/index.html", "index.html" ],
   [ "index.html",  "index.html" ],
   [ "/../../index.html", "index.html" ],
   [ "../../index.html", "index.html" ],
   [ "/hello/./.././index.html", "index.html" ],
--- a/netwerk/test/unit/test_permmgr.js
+++ b/netwerk/test/unit/test_permmgr.js
@@ -41,25 +41,25 @@ function run_test() {
 
   // nsIPermissionManager implementation is an extension; don't fail if it's not there
   if (!pm)
     return;
 
   // put a few hosts in
   for (var i = 0; i < hosts.length; ++i) {
     let uri = ioService.newURI(hosts[i][0], null, null);
-    let principal = secMan.getNoAppCodebasePrincipal(uri);
+    let principal = secMan.createCodebasePrincipal(uri, {});
 
     pm.addFromPrincipal(principal, hosts[i][1], hosts[i][2]);
   }
 
   // test the result
   for (var i = 0; i < results.length; ++i) {
     let uri = ioService.newURI(results[i][0], null, null);
-    let principal = secMan.getNoAppCodebasePrincipal(uri);
+    let principal = secMan.createCodebasePrincipal(uri, {});
 
     do_check_eq(pm.testPermissionFromPrincipal(principal, results[i][1]), results[i][2]);
     do_check_eq(pm.testExactPermissionFromPrincipal(principal, results[i][1]), results[i][3]);
   }
 
   // test the enumerator ...
   var j = 0;
   var perms = new Array();
--- a/services/sync/Weave.js
+++ b/services/sync/Weave.js
@@ -183,16 +183,17 @@ AboutWeaveLog.prototype = {
     let channel = Services.io.newChannelFromURIWithLoadInfo(uri, aLoadInfo);
 
     channel.originalURI = aURI;
 
     // Ensure that the about page has the same privileges as a regular directory
     // view. That way links to files can be opened.
     let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
                 .getService(Ci.nsIScriptSecurityManager);
-    let principal = ssm.getNoAppCodebasePrincipal(uri);
+    let principal = ssm.createCodebasePrincipal(uri, {});
+
     channel.owner = principal;
     return channel;
   }
 };
 
 const components = [WeaveService, AboutWeaveLog];
 this.NSGetFactory = XPCOMUtils.generateNSGetFactory(components);
--- a/testing/mochitest/tests/Harness_sanity/test_bug816847.html
+++ b/testing/mochitest/tests/Harness_sanity/test_bug816847.html
@@ -29,24 +29,24 @@ const appsSvc = Cc["@mozilla.org/AppsSer
                   .getService(Ci.nsIAppsService)
 
 const manifest = "https://example.com/manifest.webapp";
 const allow = Ci.nsIPermissionManager.ALLOW_ACTION;
 const unknown = Ci.nsIPermissionManager.UNKNOWN_ACTION;
 const perms = ['network-events', 'geolocation', 'camera', 'alarms']
 
 function createPrincipal(aURI, aIsApp, aIsInBrowserElement) {
-  if(aIsApp) {
+  if (aIsApp) {
     var app = appsSvc.getAppByManifestURL(aURI);
     return app.principal;
   }
 
   var uri = Services.io.newURI(aURI, null, null);
   return Services.scriptSecurityManager
-                 .getNoAppCodebasePrincipal(uri);
+                 .createCodebasePrincipal(uri, {});
 }
 
 // test addPermission and removePermission
 function starttest(){
   var app = appsSvc.getAppByManifestURL(manifest);
   ok(app != null, "Got an app "); 
 
   var origin = app.origin 
--- a/toolkit/components/downloads/ApplicationReputation.cpp
+++ b/toolkit/components/downloads/ApplicationReputation.cpp
@@ -10,29 +10,29 @@
 #include "csd.pb.h"
 
 #include "nsIArray.h"
 #include "nsIApplicationReputation.h"
 #include "nsIChannel.h"
 #include "nsIHttpChannel.h"
 #include "nsIIOService.h"
 #include "nsIPrefService.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsISimpleEnumerator.h"
 #include "nsIStreamListener.h"
 #include "nsIStringStream.h"
 #include "nsITimer.h"
 #include "nsIUploadChannel2.h"
 #include "nsIURI.h"
 #include "nsIURL.h"
 #include "nsIUrlClassifierDBService.h"
 #include "nsIX509Cert.h"
 #include "nsIX509CertDB.h"
 #include "nsIX509CertList.h"
 
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/LoadContext.h"
 
 #include "nsAutoPtr.h"
 #include "nsCOMPtr.h"
@@ -45,16 +45,18 @@
 #include "nsTArray.h"
 #include "nsThreadUtils.h"
 #include "nsXPCOMStrings.h"
 
 #include "nsIContentPolicy.h"
 #include "nsILoadInfo.h"
 #include "nsContentUtils.h"
 
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::Preferences;
 using mozilla::TimeStamp;
 using mozilla::Telemetry::Accumulate;
 using safe_browsing::ClientDownloadRequest;
 using safe_browsing::ClientDownloadRequest_CertificateChain;
 using safe_browsing::ClientDownloadRequest_Resource;
 using safe_browsing::ClientDownloadRequest_SignatureInfo;
 
@@ -288,23 +290,22 @@ PendingDBLookup::LookupSpecInternal(cons
 {
   nsresult rv;
 
   nsCOMPtr<nsIURI> uri;
   nsCOMPtr<nsIIOService> ios = do_GetService(NS_IOSERVICE_CONTRACTID, &rv);
   rv = ios->NewURI(aSpec, nullptr, nullptr, getter_AddRefs(uri));
   NS_ENSURE_SUCCESS(rv, rv);
 
-  nsCOMPtr<nsIPrincipal> principal;
-  nsCOMPtr<nsIScriptSecurityManager> secMan =
-    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = secMan->GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
-  NS_ENSURE_SUCCESS(rv, rv);
+  OriginAttributes attrs;
+  nsCOMPtr<nsIPrincipal> principal =
+    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+  if (!principal) {
+    return NS_ERROR_FAILURE;
+  }
 
   // Check local lists to see if the URI has already been whitelisted or
   // blacklisted.
   LOG(("Checking DB service for principal %s [this = %p]", mSpec.get(), this));
   nsCOMPtr<nsIUrlClassifierDBService> dbService =
     do_GetService(NS_URLCLASSIFIERDBSERVICE_CONTRACTID, &rv);
   NS_ENSURE_SUCCESS(rv, rv);
 
--- a/toolkit/components/downloads/test/unit/test_app_rep.js
+++ b/toolkit/components/downloads/test/unit/test_app_rep.js
@@ -312,21 +312,21 @@ add_test(function test_redirect_on_block
                              "http://localhost:4444/download");
   let counts = get_telemetry_counts();
   let listCounts = counts.listCounts;
   listCounts[BLOCK_LIST]++;
   listCounts[ALLOW_LIST]++;
   let secman = Services.scriptSecurityManager;
   let badRedirects = Cc["@mozilla.org/array;1"]
                        .createInstance(Ci.nsIMutableArray);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(exampleURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(exampleURI, {}),
                              false);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(blocklistedURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(blocklistedURI, {}),
                              false);
-  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(whitelistedURI),
+  badRedirects.appendElement(secman.createCodebasePrincipal(whitelistedURI, {}),
                              false);
   gAppRep.queryReputation({
     sourceURI: whitelistedURI,
     referrerURI: exampleURI,
     redirects: badRedirects,
     fileSize: 12,
   }, function onComplete(aShouldBlock, aStatus) {
     do_check_eq(Cr.NS_OK, aStatus);
--- a/toolkit/components/places/BookmarkJSONUtils.jsm
+++ b/toolkit/components/places/BookmarkJSONUtils.jsm
@@ -204,17 +204,17 @@ BookmarkImporter.prototype = {
             reject(ex);
           }
         }
       };
 
       let uri = NetUtil.newURI(spec);
       let channel = NetUtil.newChannel({
         uri,
-        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri),
+        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(uri, {}),
         contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
       });
       let streamLoader = Cc["@mozilla.org/network/stream-loader;1"]
                            .createInstance(Ci.nsIStreamLoader);
       streamLoader.init(streamObserver);
       channel.asyncOpen(streamLoader, channel);
     });
   },
--- a/toolkit/components/places/nsLivemarkService.js
+++ b/toolkit/components/places/nsLivemarkService.js
@@ -523,17 +523,17 @@ Livemark.prototype = {
     try {
       // Create a load group for the request.  This will allow us to
       // automatically keep track of redirects, so we can always
       // cancel the channel.
       let loadgroup = Cc["@mozilla.org/network/load-group;1"].
                       createInstance(Ci.nsILoadGroup);
       let channel = NetUtil.newChannel({
         uri: this.feedURI.spec,
-        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(this.feedURI),
+        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(this.feedURI, {}),
         contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
       }).QueryInterface(Ci.nsIHttpChannel);
       channel.loadGroup = loadgroup;
       channel.loadFlags |= Ci.nsIRequest.LOAD_BACKGROUND |
                            Ci.nsIRequest.LOAD_BYPASS_CACHE;
       channel.requestMethod = "GET";
       channel.setRequestHeader("X-Moz", "livebookmarks", false);
 
--- a/toolkit/components/social/SocialService.jsm
+++ b/toolkit/components/social/SocialService.jsm
@@ -148,17 +148,17 @@ XPCOMUtils.defineLazyGetter(SocialServic
     }
   }
   return providers;
 });
 
 function getOriginActivationType(origin) {
   // if this is an about uri, treat it as a directory
   let URI = Services.io.newURI(origin, null, null);
-  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
+  let principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
   if (Services.scriptSecurityManager.isSystemPrincipal(principal) || origin == "moz-safe-about:home") {
     return "internal";
   }
 
   let directories = Services.prefs.getCharPref("social.directories").split(',');
   if (directories.indexOf(origin) >= 0)
     return "directory";
 
@@ -508,17 +508,17 @@ this.SocialService = {
       if (!data['origin']) {
         Cu.reportError("SocialService.manifestFromData directory service provided manifest without origin.");
         return null;
       }
       installOrigin = data.origin;
     }
     // force/fixup origin
     let URI = Services.io.newURI(installOrigin, null, null);
-    principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
+    principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
     data.origin = principal.origin;
 
     // iconURL and name are required
     let providerHasFeatures = [url for (url of featureURLs) if (data[url])].length > 0;
     if (!providerHasFeatures) {
       Cu.reportError("SocialService.manifestFromData manifest missing required urls.");
       return null;
     }
@@ -709,17 +709,17 @@ function SocialProvider(input) {
   this.shareURL = input.shareURL;
   this.statusURL = input.statusURL;
   this.markURL = input.markURL;
   this.markedIcon = input.markedIcon;
   this.unmarkedIcon = input.unmarkedIcon;
   this.postActivationURL = input.postActivationURL;
   this.origin = input.origin;
   let originUri = Services.io.newURI(input.origin, null, null);
-  this.principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(originUri);
+  this.principal = Services.scriptSecurityManager.createCodebasePrincipal(originUri, {});
   this.ambientNotificationIcons = {};
   this.errorState = null;
   this.frecency = 0;
 
   // this provider has localStorage access in the worker if listed in the
   // whitelist
   let whitelist = Services.prefs.getCharPref("social.whitelist").split(',');
   this.blessed = whitelist.indexOf(this.origin) >= 0;
--- a/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
+++ b/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
@@ -216,17 +216,17 @@ tableData : function(expectedTables, cb)
 
 checkUrls: function(urls, expected, cb)
 {
   // work with a copy of the list.
   urls = urls.slice(0);
   var doLookup = function() {
     if (urls.length > 0) {
       var fragment = urls.shift();
-      var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null));
+      var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null), {});
       dbservice.lookup(principal, allTables,
                                 function(arg) {
                                   do_check_eq(expected, arg);
                                   doLookup();
                                 }, true);
     } else {
       cb();
     }
--- a/toolkit/components/url-classifier/tests/unit/test_dbservice.js
+++ b/toolkit/components/url-classifier/tests/unit/test_dbservice.js
@@ -92,17 +92,17 @@ function testFailure(arg) {
   do_throw(arg);
 }
 
 function checkNoHost()
 {
   // Looking up a no-host uri such as a data: uri should throw an exception.
   var exception;
   try {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null), {});
     dbservice.lookup(principal, allTables);
 
     exception = false;
   } catch(e) {
     exception = true;
   }
   do_check_true(exception);
 
@@ -193,36 +193,37 @@ function unwantedExists(result) {
     checkDone();
   }
 }
 
 function checkState()
 {
   numExpecting = 0;
 
+
   for (var key in phishExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
     dbservice.lookup(principal, allTables, phishExists, true);
     numExpecting++;
   }
 
   for (var key in phishUnexpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
     dbservice.lookup(principal, allTables, phishDoesntExist, true);
     numExpecting++;
   }
 
   for (var key in malwareExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
     dbservice.lookup(principal, allTables, malwareExists, true);
     numExpecting++;
   }
 
   for (var key in unwantedExpected) {
-    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
+    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
     dbservice.lookup(principal, allTables, unwantedExists, true);
     numExpecting++;
   }
 }
 
 function testSubSuccess(result)
 {
   do_check_eq(result, "1000");
--- a/toolkit/components/url-classifier/tests/unit/test_digest256.js
+++ b/toolkit/components/url-classifier/tests/unit/test_digest256.js
@@ -119,28 +119,28 @@ add_test(function test_update() {
     "goog-downloadwhite-digest256",
     "goog-downloadwhite-digest256;\n",
     "http://localhost:4444/downloads",
     updateSuccess, handleError, handleError);
 });
 
 add_test(function test_url_not_whitelisted() {
   let uri = createURI("http://example.com");
-  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+  let principal = gSecMan.createCodebasePrincipal(uri, {});
   gDbService.lookup(principal, "goog-downloadwhite-digest256",
     function handleEvent(aEvent) {
       // This URI is not on any lists.
       do_check_eq("", aEvent);
       run_next_test();
     });
 });
 
 add_test(function test_url_whitelisted() {
   // Hash of "whitelisted.com/" (canonicalized URL) is:
   // 93CA5F48E15E9861CD37C2D95DB43D23CC6E6DE5C3F8FA6E8BE66F97CC518907
   let uri = createURI("http://whitelisted.com");
-  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
+  let principal = gSecMan.createCodebasePrincipal(uri, {});
   gDbService.lookup(principal, "goog-downloadwhite-digest256",
     function handleEvent(aEvent) {
       do_check_eq("goog-downloadwhite-digest256", aEvent);
       run_next_test();
     });
 });
--- a/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
+++ b/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
@@ -180,19 +180,19 @@ function check_login_exists(aHost, aExis
  * @param aURI
  *        The URI to add the test permission for.
  */
 function add_permission(aURI)
 {
   check_permission_exists(aURI, false);
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(aURI);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(aURI, {});
 
   pm.addFromPrincipal(principal, PERMISSION_TYPE, PERMISSION_VALUE);
   check_permission_exists(aURI, true);
 }
 
 /**
  * Checks to see if a permission exists for the given URI.
  *
@@ -200,19 +200,19 @@ function add_permission(aURI)
  *        The URI to check if a permission exists.
  * @param aExists
  *        True if the permission should exist, false otherwise.
  */
 function check_permission_exists(aURI, aExists)
 {
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
-  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                    .getService(Ci.nsIScriptSecurityManager)
-                    .getNoAppCodebasePrincipal(aURI);
+  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+  let principal = ssm.createCodebasePrincipal(aURI, {});
 
   let perm = pm.testExactPermissionFromPrincipal(principal, PERMISSION_TYPE);
   let checker = aExists ? do_check_eq : do_check_neq;
   checker(perm, PERMISSION_VALUE);
 }
 
 /**
  * Adds a content preference for the specified URI.
@@ -549,19 +549,20 @@ function test_cache_cleared()
   ForgetAboutSite.removeDataFromDomain("mozilla.org");
   do_test_pending();
 }
 
 function test_storage_cleared()
 {
   function getStorageForURI(aURI)
   {
-    let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
-                    getService(Ci.nsIScriptSecurityManager).
-                    getNoAppCodebasePrincipal(aURI);
+    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
+              .getService(Ci.nsIScriptSecurityManager);
+    let principal = ssm.createCodebasePrincipal(aURI, {});
+
     let dsm = Cc["@mozilla.org/dom/localStorage-manager;1"].
               getService(Ci.nsIDOMStorageManager);
     return dsm.createStorage(null, principal, "");
   }
 
   let s = [
     getStorageForURI(uri("http://mozilla.org")),
     getStorageForURI(uri("http://my.mozilla.org")),
--- a/toolkit/modules/NewTabUtils.jsm
+++ b/toolkit/modules/NewTabUtils.jsm
@@ -20,17 +20,17 @@ XPCOMUtils.defineLazyModuleGetter(this, 
 XPCOMUtils.defineLazyModuleGetter(this, "PageThumbs",
   "resource://gre/modules/PageThumbs.jsm");
 
 XPCOMUtils.defineLazyModuleGetter(this, "BinarySearch",
   "resource://gre/modules/BinarySearch.jsm");
 
 XPCOMUtils.defineLazyGetter(this, "gPrincipal", function () {
   let uri = Services.io.newURI("about:newtab", null, null);
-  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
+  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
 });
 
 XPCOMUtils.defineLazyGetter(this, "gCryptoHash", function () {
   return Cc["@mozilla.org/security/hash;1"].createInstance(Ci.nsICryptoHash);
 });
 
 XPCOMUtils.defineLazyGetter(this, "gUnicodeConverter", function () {
   let converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"]
--- a/toolkit/modules/PermissionsUtils.jsm
+++ b/toolkit/modules/PermissionsUtils.jsm
@@ -34,18 +34,18 @@ function importPrefBranch(aPrefBranch, a
         // This preference used to contain a list of hosts. For back-compat
         // reasons, we convert these hosts into http:// and https:// permissions
         // on default ports.
         try {
           let httpURI = Services.io.newURI("http://" + origin, null, null);
           let httpsURI = Services.io.newURI("https://" + origin, null, null);
 
           principals = [
-            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpURI),
-            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpsURI)
+            Services.scriptSecurityManager.createCodebasePrincipal(httpURI, {}),
+            Services.scriptSecurityManager.createCodebasePrincipal(httpsURI, {})
           ];
         } catch (e2) {}
       }
 
       for (let principal of principals) {
         try {
           Services.perms.addFromPrincipal(principal, aPermission, aAction);
         } catch (e) {}
--- a/toolkit/webapps/NativeApp.jsm
+++ b/toolkit/webapps/NativeApp.jsm
@@ -452,20 +452,19 @@ function downloadIcon(aIconURI) {
     });
 #endif
 
     // If not fetching an icon from chrome:// then we should create a
     // NoAppCodeBasePrincipal. Note, that we are still in the process of
     // installing the app, hence app.origin is not available yet and
     // therefore we can not call getAppCodebasePrincipal.
     let principal =
-      aIconURI.schemeIs("chrome") ? Services.scriptSecurityManager
-                                            .getSystemPrincipal()
-                                  : Services.scriptSecurityManager
-                                            .getNoAppCodebasePrincipal(aIconURI);
+      aIconURI.schemeIs("chrome") ?
+        Services.scriptSecurityManager.getSystemPrincipal() :
+        Services.scriptSecurityManager.createCodebasePrincipal(aIconURI, {});
 
     let channel = NetUtil.newChannel({
       uri: aIconURI,
       loadingPrincipal: principal,
       contentPolicyType: Ci.nsIContentPolicy.TYPE_IMAGE});
     let { BadCertHandler } = Cu.import("resource://gre/modules/CertUtils.jsm", {});
     // Pass true to avoid optional redirect-cert-checking behavior.
     channel.notificationCallbacks = new BadCertHandler(true);
--- a/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
+++ b/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
@@ -24,17 +24,16 @@
 #include "nsIDocument.h"
 #include "nsIObserverService.h"
 #include "nsIURL.h"
 #include "nsIWebProgress.h"
 #include "nsIWebNavigation.h"
 #include "nsICryptoHash.h"
 #include "nsIPermissionManager.h"
 #include "nsIPrincipal.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsNetCID.h"
 #include "nsServiceManagerUtils.h"
 #include "nsStreamUtils.h"
 #include "nsThreadUtils.h"
 #include "nsProxyRelease.h"
 #include "mozilla/Logging.h"
 #include "nsIAsyncVerifyRedirectCallback.h"
 #include "mozilla/Preferences.h"
@@ -713,30 +712,30 @@ nsOfflineCacheUpdateService::OfflineAppA
     return OfflineAppPermForPrincipal(aPrincipal, aPrefBranch, false, aAllowed);
 }
 
 NS_IMETHODIMP
 nsOfflineCacheUpdateService::OfflineAppAllowedForURI(nsIURI *aURI,
                                                      nsIPrefBranch *aPrefBranch,
                                                      bool *aAllowed)
 {
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
     return OfflineAppPermForPrincipal(principal, aPrefBranch, false, aAllowed);
 }
 
 nsresult
 nsOfflineCacheUpdateService::OfflineAppPinnedForURI(nsIURI *aDocumentURI,
                                                     nsIPrefBranch *aPrefBranch,
                                                     bool *aPinned)
 {
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetNoAppCodebasePrincipal(aDocumentURI, getter_AddRefs(principal));
+    OriginAttributes attrs;
+    nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(aDocumentURI, attrs);
     return OfflineAppPermForPrincipal(principal, aPrefBranch, true, aPinned);
 }
 
 NS_IMETHODIMP
 nsOfflineCacheUpdateService::AllowOfflineApp(nsIDOMWindow *aWindow,
                                              nsIPrincipal *aPrincipal)
 {
     nsresult rv;