Bug 1196988 - Remove THA support. r=gwagner
authorFabrice Desré <fabrice@mozilla.com>
Fri, 21 Aug 2015 10:00:54 -0700
changeset 258681 de921857f45204056731cf26407ce2d55cbcc9b6
parent 258680 9b7811028a40a67543d320a4fc3b6642518d32d6
child 258682 241bc7a9edd25aedcf84febbe7a1ecf46f75fa04
push id29261
push userryanvm@gmail.com
push dateSun, 23 Aug 2015 19:00:26 +0000
treeherdermozilla-central@c061dd1cf8dc [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgwagner
bugs1196988
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1196988 - Remove THA support. r=gwagner
b2g/app/b2g.js
browser/devtools/app-manager/app-validator.js
dom/apps/AppsUtils.jsm
dom/apps/PermissionsInstaller.jsm
dom/apps/PermissionsTable.jsm
dom/apps/StoreTrustAnchor.jsm
dom/apps/TrustedHostedAppsUtils.jsm
dom/apps/Webapps.jsm
dom/apps/moz.build
dom/apps/tests/chrome.ini
dom/apps/tests/file_app.sjs
dom/apps/tests/file_trusted_app.template.webapp
dom/apps/tests/mochitest.ini
dom/apps/tests/test_app_update.html
dom/apps/tests/test_tha_utils.html
dom/messages/SystemMessagePermissionsChecker.jsm
security/apps/AppTrustDomain.cpp
security/manager/ssl/nsIX509CertDB.idl
--- a/b2g/app/b2g.js
+++ b/b2g/app/b2g.js
@@ -431,18 +431,16 @@ pref("content.ime.strict_policy", true);
 // $ adb shell stop
 // $ adb shell setprop log.redirect-stdio true
 // $ adb shell start
 pref("browser.dom.window.dump.enabled", false);
 
 // Default Content Security Policy to apply to certified apps.
 // If you change this CSP, make sure to update the fast path in nsCSPService.cpp
 pref("security.apps.certified.CSP.default", "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' app://theme.gaiamobile.org");
-// Default Content Security Policy to apply to trusted apps.
-pref("security.apps.trusted.CSP.default", "default-src * data: blob:; object-src 'none'; frame-src 'none'");
 
 // handle links targeting new windows
 // 1=current window/tab, 2=new window, 3=new tab in most recent window
 pref("browser.link.open_newwindow", 3);
 
 // 0: no restrictions - divert everything
 // 1: don't divert window.open at all
 // 2: don't divert window.open with features
--- a/browser/devtools/app-manager/app-validator.js
+++ b/browser/devtools/app-manager/app-validator.js
@@ -245,17 +245,17 @@ AppValidator.prototype.validateLaunchPat
     deferred.resolve();
   }
 
   return deferred.promise;
 };
 
 AppValidator.prototype.validateType = function (manifest) {
   let appType = manifest.type || "web";
-  if (["web", "trusted", "privileged", "certified"].indexOf(appType) === -1) {
+  if (["web", "privileged", "certified"].indexOf(appType) === -1) {
     this.error(strings.formatStringFromName("validator.invalidAppType", [appType], 1));
   } else if (this.type == "hosted" &&
              ["certified", "privileged"].indexOf(appType) !== -1) {
     this.error(strings.formatStringFromName("validator.invalidHostedPriviledges", [appType], 1));
   }
 
   // certified app are not fully supported on the simulator
   if (appType === "certified") {
--- a/dom/apps/AppsUtils.jsm
+++ b/dom/apps/AppsUtils.jsm
@@ -21,18 +21,17 @@ XPCOMUtils.defineLazyModuleGetter(this, 
 
 XPCOMUtils.defineLazyModuleGetter(this, "NetUtil",
   "resource://gre/modules/NetUtil.jsm");
 
 XPCOMUtils.defineLazyServiceGetter(this, "appsService",
                                    "@mozilla.org/AppsService;1",
                                    "nsIAppsService");
 
-// Shared code for AppsServiceChild.jsm, TrustedHostedAppsUtils.jsm,
-// Webapps.jsm and Webapps.js
+// Shared code for AppsServiceChild.jsm, Webapps.jsm and Webapps.js
 
 this.EXPORTED_SYMBOLS =
   ["AppsUtils", "ManifestHelper", "isAbsoluteURI", "mozIApplication"];
 
 function debug(s) {
   //dump("-*- AppsUtils.jsm: " + s + "\n");
 }
 
@@ -295,19 +294,17 @@ this.AppsUtils = {
           switch (app.appStatus) {
             case Ci.nsIPrincipal.APP_STATUS_CERTIFIED:
               return Services.prefs.getCharPref("security.apps.certified.CSP.default");
               break;
             case Ci.nsIPrincipal.APP_STATUS_PRIVILEGED:
               return Services.prefs.getCharPref("security.apps.privileged.CSP.default");
               break;
             case Ci.nsIPrincipal.APP_STATUS_INSTALLED:
-              return app.kind == "hosted-trusted"
-                ? Services.prefs.getCharPref("security.apps.trusted.CSP.default")
-                : "";
+              return "";
               break;
           }
         } catch(e) {}
       }
     }
 
     return "default-src 'self'; object-src 'none'";
   },
@@ -600,17 +597,16 @@ this.AppsUtils = {
    * @param object aManifest
    * @returns integer
    **/
   getAppManifestStatus: function getAppManifestStatus(aManifest) {
     let type = aManifest.type || "web";
 
     switch(type) {
     case "web":
-    case "trusted":
       return Ci.nsIPrincipal.APP_STATUS_INSTALLED;
     case "privileged":
       return Ci.nsIPrincipal.APP_STATUS_PRIVILEGED;
     case "certified":
       return Ci.nsIPrincipal.APP_STATUS_CERTIFIED;
     default:
       throw new Error("Webapps.jsm: Undetermined app manifest type");
     }
--- a/dom/apps/PermissionsInstaller.jsm
+++ b/dom/apps/PermissionsInstaller.jsm
@@ -102,19 +102,16 @@ this.PermissionsInstaller = {
       case Ci.nsIPrincipal.APP_STATUS_CERTIFIED:
         appStatus = "certified";
         break;
       case Ci.nsIPrincipal.APP_STATUS_PRIVILEGED:
         appStatus = "privileged";
         break;
       case Ci.nsIPrincipal.APP_STATUS_INSTALLED:
         appStatus = "app";
-        if (aApp.kind == "hosted-trusted") {
-          appStatus = "trusted";
-        }
         break;
       default:
         // Cannot determine app type, abort install by throwing an error.
         throw new Error("PermissionsInstaller.jsm: " +
                         "Cannot determine the app's status. Install cancelled.");
         break;
       }
 
--- a/dom/apps/PermissionsTable.jsm
+++ b/dom/apps/PermissionsTable.jsm
@@ -30,557 +30,470 @@ const PROMPT_ACTION = Ci.nsIPermissionMa
 // Permissions Matrix: https://docs.google.com/spreadsheet/ccc?key=0Akyz_Bqjgf5pdENVekxYRjBTX0dCXzItMnRyUU1RQ0E#gid=0
 
 // Permissions that are implicit:
 // battery-status, network-information, vibration,
 // device-capabilities
 
 this.PermissionsTable =  { geolocation: {
                              app: PROMPT_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: PROMPT_ACTION
                            },
                            "geolocation-noprompt": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION,
                              substitute: ["geolocation"]
                            },
                            camera: {
                              app: DENY_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION
                            },
                            alarms: {
                              app: ALLOW_ACTION,
-                             trusted: ALLOW_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "tcp-socket": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "udp-socket": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "network-events": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            contacts: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read", "write", "create"]
                            },
                            "device-storage:apps": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read"]
                            },
                            "device-storage:crashes": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read"]
                            },
                            "device-storage:pictures": {
                              app: DENY_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read", "write", "create"]
                            },
                            "device-storage:videos": {
                              app: DENY_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read", "write", "create"]
                            },
                            "device-storage:music": {
                              app: DENY_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read", "write", "create"]
                            },
                            "device-storage:sdcard": {
                              app: DENY_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read", "write", "create"]
                            },
                            sms: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            telephony: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            browser: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "browser:universalxss": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            bluetooth: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            mobileconnection: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            mobilenetwork: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            power: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            push: {
                             app: ALLOW_ACTION,
-                            trusted: ALLOW_ACTION,
                             privileged: ALLOW_ACTION,
                             certified: ALLOW_ACTION
                            },
                            settings: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read", "write"],
                              additional: ["indexedDB-chrome-settings", "settings-api"]
                            },
                            // This exists purely for tests, no app
                            // should ever use it. It can only be
                            // handed out by SpecialPowers.
                            "settings-clear": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: DENY_ACTION,
                              additional: ["indexedDB-chrome-settings", "settings-api"]
                            },
                            permissions: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            phonenumberservice: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            fmradio: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            attention: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "global-clickthrough-overlay": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "moz-attention": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION,
                              substitute: ["attention"]
                            },
                            "webapps-manage": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "homescreen-webapps-manage": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "backgroundservice": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "desktop-notification": {
                              app: ALLOW_ACTION,
-                             trusted: ALLOW_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "networkstats-manage": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "resourcestats-manage": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "wifi-manage": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "systemXHR": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "voicemail": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "idle": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "time": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "embed-apps": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "embed-widgets": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "background-sensors": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            cellbroadcast: {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "audio-channel-normal": {
                              app: ALLOW_ACTION,
-                             trusted: ALLOW_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "audio-channel-content": {
                              app: ALLOW_ACTION,
-                             trusted: ALLOW_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "audio-channel-notification": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "audio-channel-alarm": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "audio-channel-system": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "audio-channel-telephony": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "moz-audio-channel-telephony": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION,
                              substitute: ["audio-channel-telephony"]
                            },
                            "audio-channel-ringer": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "moz-audio-channel-ringer": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION,
                              substitute: ["audio-channel-ringer"]
                            },
                            "audio-channel-publicnotification": {
                              app: DENY_ACTION,
-                             trusted: ALLOW_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "open-remote-window": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "input": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "input-manage": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "wappush": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "audio-capture": {
                              app: PROMPT_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "audio-capture:3gpp": {
-			     app: DENY_ACTION,
-			     trusted: DENY_ACTION,
-			     privileged: ALLOW_ACTION,
-			     certified: ALLOW_ACTION
-			   },
-			   "nfc": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
+                             privileged: ALLOW_ACTION,
+                             certified: ALLOW_ACTION
+                           },
+                           "nfc": {
+                             app: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "nfc-share": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "nfc-manager": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "nfc-hci-events": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "speaker-control": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "downloads": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "video-capture": {
                              app: PROMPT_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "feature-detection": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "mobileid": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: PROMPT_ACTION
                            },
                            // This permission doesn't actually grant access to
                            // anything. It exists only to check the correctness
                            // of web prompt composed permissions in tests.
                            "test-permission": {
                              app: PROMPT_ACTION,
-                             trusted: PROMPT_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read", "write", "create"]
                            },
                            "firefox-accounts": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "moz-firefox-accounts": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: PROMPT_ACTION,
                              certified: ALLOW_ACTION,
                              substitute: ["firefox-accounts"]
-                             },
+                           },
                            "themeable": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "settings:wallpaper.image": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION,
                              access: ["read", "write"],
                              additional: ["settings-api"]
                            },
                            "engineering-mode": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "tv": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "before-after-keyboard-event": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "presentation-device-manage": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "requestsync-manager": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "secureelement-manage": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "inputport": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "external-app": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "system-update": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "presentation": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: ALLOW_ACTION,
                              certified: ALLOW_ACTION
                            },
                            "open-hidden-window": {
                              app: DENY_ACTION,
-                             trusted: DENY_ACTION,
                              privileged: DENY_ACTION,
                              certified: ALLOW_ACTION
                            },
                          };
 
 /**
  * Append access modes to the permission name as suffixes.
  *   e.g. permission name 'contacts' with ['read', 'write'] =
@@ -723,17 +636,17 @@ this.isExplicitInPermissionsTable = func
   switch (aIntStatus) {
     case Ci.nsIPrincipal.APP_STATUS_CERTIFIED:
       appStatus = "certified";
       break;
     case Ci.nsIPrincipal.APP_STATUS_PRIVILEGED:
       appStatus = "privileged";
       break;
     default: // If it isn't certified or privileged, it's app
-      appStatus = aAppKind == "hosted-trusted" ? "trusted" : "app";
+      appStatus = "app";
       break;
   }
 
   let realPerm = PermissionsReverseTable[aPermName];
 
   if (realPerm) {
     return (PermissionsTable[realPerm][appStatus] ==
             Ci.nsIPermissionManager.PROMPT_ACTION);
--- a/dom/apps/StoreTrustAnchor.jsm
+++ b/dom/apps/StoreTrustAnchor.jsm
@@ -11,18 +11,16 @@ this.EXPORTED_SYMBOLS = [
   "TrustedRootCertificate"
 ];
 
 const APP_TRUSTED_ROOTS= ["AppMarketplaceProdPublicRoot",
                           "AppMarketplaceProdReviewersRoot",
                           "AppMarketplaceDevPublicRoot",
                           "AppMarketplaceDevReviewersRoot",
                           "AppMarketplaceStageRoot",
-                          "TrustedHostedAppPublicRoot",
-                          "TrustedHostedAppTestRoot",
                           "AppXPCShellRoot"];
 
 this.TrustedRootCertificate = {
   _index: Ci.nsIX509CertDB.AppMarketplaceProdPublicRoot,
   get index() {
     return this._index;
   },
   set index(aIndex) {
deleted file mode 100644
--- a/dom/apps/TrustedHostedAppsUtils.jsm
+++ /dev/null
@@ -1,281 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/* global Components, Services, dump, AppsUtils, NetUtil, XPCOMUtils */
-
-"use strict";
-
-const Cu = Components.utils;
-const Cc = Components.classes;
-const Ci = Components.interfaces;
-const Cr = Components.results;
-const signatureFileExtension = ".sig";
-
-this.EXPORTED_SYMBOLS = ["TrustedHostedAppsUtils"];
-
-Cu.import("resource://gre/modules/AppsUtils.jsm");
-Cu.import("resource://gre/modules/Promise.jsm");
-Cu.import("resource://gre/modules/Services.jsm");
-Cu.import("resource://gre/modules/XPCOMUtils.jsm");
-
-XPCOMUtils.defineLazyModuleGetter(this, "NetUtil",
-  "resource://gre/modules/NetUtil.jsm");
-
-#ifdef MOZ_WIDGET_ANDROID
-// On Android, define the "debug" function as a binding of the "d" function
-// from the AndroidLog module so it gets the "debug" priority and a log tag.
-// We always report debug messages on Android because it's unnecessary
-// to restrict reporting, per bug 1003469.
-let debug = Cu
-  .import("resource://gre/modules/AndroidLog.jsm", {})
-  .AndroidLog.d.bind(null, "TrustedHostedAppsUtils");
-#else
-// Elsewhere, report debug messages only if dom.mozApps.debug is set to true.
-// The pref is only checked once, on startup, so restart after changing it.
-let debug = Services.prefs.getBoolPref("dom.mozApps.debug") ?
-  aMsg => dump("-*- TrustedHostedAppsUtils.jsm : " + aMsg + "\n") :
-  () => {};
-#endif
-
-/**
- * Verification functions for Trusted Hosted Apps.
- */
-this.TrustedHostedAppsUtils = {
-
-  /**
-   * Check if the given host is pinned in the CA pinning database.
-   */
-  isHostPinned: function (aUrl) {
-    let uri;
-    try {
-      uri = Services.io.newURI(aUrl, null, null);
-    } catch(e) {
-      debug("Host parsing failed: " + e);
-      return false;
-    }
-
-    // TODO: use nsSiteSecurityService.isSecureURI()
-    if (!uri.host || "https" != uri.scheme) {
-      return false;
-    }
-
-    // Check certificate pinning
-    let siteSecurityService;
-    try {
-      siteSecurityService = Cc["@mozilla.org/ssservice;1"]
-        .getService(Ci.nsISiteSecurityService);
-    } catch (e) {
-      debug("nsISiteSecurityService error: " + e);
-      // unrecoverable error, don't bug the user
-      throw "CERTDB_ERROR";
-    }
-
-    if (siteSecurityService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
-                                         uri.host, 0)) {
-      debug("\tvalid certificate pinning for host: " + uri.host + "\n");
-      return true;
-    }
-
-    debug("\tHost NOT pinned: " + uri.host + "\n");
-    return false;
-  },
-
-  /**
-   * Take a CSP policy string as input and ensure that it contains at
-   * least the directives that are required ('script-src' and
-   * 'style-src').  If the CSP policy string is 'undefined' or does
-   * not contain some of the required csp directives the function will
-   * return empty list with status set to false.  Otherwise a parsed
-   * list of the unique sources listed from the required csp
-   * directives is returned.
-   */
-  getCSPWhiteList: function(aCsp) {
-    let isValid = false;
-    let whiteList = [];
-    let requiredDirectives = [ "script-src", "style-src" ];
-
-    if (aCsp) {
-      let validDirectives = [];
-      let directives = aCsp.split(";");
-      // TODO: Use nsIContentSecurityPolicy
-      directives
-        .map(aDirective => aDirective.trim().split(" "))
-        .filter(aList => aList.length > 1)
-        // we only restrict on requiredDirectives
-        .filter(aList => (requiredDirectives.indexOf(aList[0]) != -1))
-        .forEach(aList => {
-          // aList[0] contains the directive name.
-          // aList[1..n] contains sources.
-          let directiveName = aList.shift();
-          let sources = aList;
-
-          if ((-1 == validDirectives.indexOf(directiveName))) {
-            validDirectives.push(directiveName);
-          }
-          whiteList.push(...sources.filter(
-             // 'self' is checked separately during manifest check
-            aSource => (aSource !="'self'" && whiteList.indexOf(aSource) == -1)
-          ));
-        });
-
-      // Check if all required directives are present.
-      isValid = requiredDirectives.length === validDirectives.length;
-
-      if (!isValid) {
-        debug("White list doesn't contain all required directives!");
-        whiteList = [];
-      }
-    }
-
-    debug("White list contains " + whiteList.length + " hosts");
-    return { list: whiteList, valid: isValid };
-  },
-
-  /**
-   * Verify that the given csp is valid:
-   *  1. contains required directives "script-src" and "style-src"
-   *  2. required directives contain only "https" URLs
-   *  3. domains of the restricted sources exist in the CA pinning database
-   */
-  verifyCSPWhiteList: function(aCsp) {
-    let domainWhitelist = this.getCSPWhiteList(aCsp);
-    if (!domainWhitelist.valid) {
-      debug("TRUSTED_APPLICATION_WHITELIST_PARSING_FAILED");
-      return false;
-    }
-
-    if (!domainWhitelist.list.every(aUrl => this.isHostPinned(aUrl))) {
-      debug("TRUSTED_APPLICATION_WHITELIST_VALIDATION_FAILED");
-      return false;
-    }
-
-    return true;
-  },
-
-  _verifySignedFile: function(aManifestStream, aSignatureStream, aCertDb) {
-    let deferred = Promise.defer();
-
-    let root = Ci.nsIX509CertDB.TrustedHostedAppPublicRoot;
-    try {
-      // Check if we should use the test certificates.
-      // Please note that this should be changed if we ever allow chages to the
-      // prefs since that would create a way for an attacker to use the test
-      // root for real apps.
-      let useTrustedAppTestCerts = Services.prefs
-        .getBoolPref("dom.mozApps.use_trustedapp_test_certs");
-      if (useTrustedAppTestCerts) {
-        root = Ci.nsIX509CertDB.TrustedHostedAppTestRoot;
-      }
-    } catch (ex) { }
-
-    aCertDb.verifySignedManifestAsync(
-      root, aManifestStream, aSignatureStream,
-      function(aRv, aCert) {
-        debug("Signature verification returned code, cert & root: " + aRv + " " + aCert + " " + root);
-        if (Components.isSuccessCode(aRv)) {
-          deferred.resolve(aCert);
-        } else if (aRv == Cr.NS_ERROR_FILE_CORRUPTED ||
-                   aRv == Cr.NS_ERROR_SIGNED_MANIFEST_FILE_INVALID) {
-          deferred.reject("MANIFEST_SIGNATURE_FILE_INVALID");
-        } else {
-          deferred.reject("MANIFEST_SIGNATURE_VERIFICATION_ERROR");
-        }
-      }
-    );
-
-    return deferred.promise;
-  },
-
-  verifySignedManifest: function(aApp, aAppId) {
-    let deferred = Promise.defer();
-
-    let certDb;
-    try {
-      certDb = Cc["@mozilla.org/security/x509certdb;1"]
-                 .getService(Ci.nsIX509CertDB);
-    } catch (e) {
-      debug("nsIX509CertDB error: " + e);
-      // unrecoverable error, don't bug the user
-      throw "CERTDB_ERROR";
-    }
-
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
-                      aApp.origin, aApp.localId, false);
-
-    let mRequestChannel = NetUtil.newChannel({
-      uri: aApp.manifestURL,
-      loadingPrincipal: principal,
-      contentPolicyType: Ci.nsIContentPolicy.TYPE_OTHER}
-    ).QueryInterface(Ci.nsIHttpChannel);
-    mRequestChannel.loadFlags |= Ci.nsIRequest.INHIBIT_CACHING;
-    mRequestChannel.notificationCallbacks =
-      AppsUtils.createLoadContext(aAppId, false);
-
-    // The manifest signature must be located at the same path as the
-    // manifest and have the same file name, only the file extension
-    // should differ. Any fragment or query parameter will be ignored.
-    let signatureURL;
-    try {
-      let mURL = Cc["@mozilla.org/network/io-service;1"]
-        .getService(Ci.nsIIOService)
-        .newURI(aApp.manifestURL, null, null)
-        .QueryInterface(Ci.nsIURL);
-      signatureURL = mURL.prePath +
-        mURL.directory + mURL.fileBaseName + signatureFileExtension;
-    } catch(e) {
-      deferred.reject("SIGNATURE_PATH_INVALID");
-      return;
-    }
-
-    let sRequestChannel = NetUtil.newChannel({
-      uri: signatureURL,
-      loadingPrincipal: principal,
-      contentPolicyType: Ci.nsIContentPolicy.TYPE_OTHER}
-    ).QueryInterface(Ci.nsIHttpChannel);
-    sRequestChannel.loadFlags |= Ci.nsIRequest.INHIBIT_CACHING;
-    sRequestChannel.notificationCallbacks =
-      AppsUtils.createLoadContext(aAppId, false);
-    let getAsyncFetchCallback = (resolve, reject) =>
-        (aInputStream, aResult) => {
-          if (!Components.isSuccessCode(aResult)) {
-            debug("Failed to download file");
-            reject("MANIFEST_FILE_UNAVAILABLE");
-            return;
-          }
-          resolve(aInputStream);
-        };
-
-    Promise.all([
-      new Promise((resolve, reject) => {
-        NetUtil.asyncFetch(mRequestChannel,
-                            getAsyncFetchCallback(resolve, reject));
-      }),
-      new Promise((resolve, reject) => {
-        NetUtil.asyncFetch(sRequestChannel,
-                            getAsyncFetchCallback(resolve, reject));
-      })
-    ]).then(([aManifestStream, aSignatureStream]) => {
-      this._verifySignedFile(aManifestStream, aSignatureStream, certDb)
-        .then(deferred.resolve, deferred.reject);
-    }, deferred.reject);
-
-    return deferred.promise;
-  },
-
-  verifyManifest: function(aApp, aAppId, aManifest) {
-    return new Promise((resolve, reject) => {
-      // sanity check on manifest host's CA (proper CA check with
-      // pinning is done by regular networking code)
-      if (!this.isHostPinned(aApp.manifestURL)) {
-        reject("TRUSTED_APPLICATION_HOST_CERTIFICATE_INVALID");
-        return;
-      }
-      if (!this.verifyCSPWhiteList(aManifest.csp)) {
-        reject("TRUSTED_APPLICATION_WHITELIST_VALIDATION_FAILED");
-        return;
-      }
-      this.verifySignedManifest(aApp, aAppId).then(resolve, reject);
-    });
-  }
-};
--- a/dom/apps/Webapps.jsm
+++ b/dom/apps/Webapps.jsm
@@ -80,19 +80,16 @@ XPCOMUtils.defineLazyModuleGetter(this, 
   "resource://gre/modules/NetUtil.jsm");
 
 XPCOMUtils.defineLazyModuleGetter(this, "ScriptPreloader",
                                   "resource://gre/modules/ScriptPreloader.jsm");
 
 XPCOMUtils.defineLazyModuleGetter(this, "Langpacks",
                                   "resource://gre/modules/Langpacks.jsm");
 
-XPCOMUtils.defineLazyModuleGetter(this, "TrustedHostedAppsUtils",
-                                  "resource://gre/modules/TrustedHostedAppsUtils.jsm");
-
 XPCOMUtils.defineLazyModuleGetter(this, "ImportExport",
                                   "resource://gre/modules/ImportExport.jsm");
 
 #ifdef MOZ_WIDGET_GONK
 XPCOMUtils.defineLazyGetter(this, "libcutils", function() {
   Cu.import("resource://gre/modules/systemlibs.js");
   return libcutils;
 });
@@ -186,17 +183,16 @@ XPCOMUtils.defineLazyGetter(this, "permM
 // store even by error.
 const STORE_ID_PENDING_PREFIX = "#unknownID#";
 
 this.DOMApplicationRegistry = {
   // pseudo-constants for the different application kinds.
   get kPackaged()       "packaged",
   get kHosted()         "hosted",
   get kHostedAppcache() "hosted-appcache",
-  get kTrustedHosted()  "hosted-trusted",
 
   // Path to the webapps.json file where we store the registry data.
   appsFile: null,
   webapps: { },
   allAppsLaunchable: false,
   _updateHandlers: [ ],
   _pendingUninstalls: {},
   _contentActions: new Map(),
@@ -461,19 +457,17 @@ this.DOMApplicationRegistry = {
   }),
 
   appKind: function(aApp, aManifest) {
     if (aApp.origin.startsWith("app://")) {
       return this.kPackaged;
     } else {
       // Hosted apps, can be appcached or not.
       let kind = this.kHosted;
-      if (aManifest.type == "trusted") {
-        kind = this.kTrustedHosted;
-      } else if (aManifest.appcache_path) {
+      if (aManifest.appcache_path) {
         kind = this.kHostedAppcache;
       }
       return kind;
     }
   },
 
   updatePermissionsForApp: function(aId, aIsPreinstalled) {
     if (!this.webapps[aId]) {
@@ -1585,34 +1579,16 @@ this.DOMApplicationRegistry = {
 
     // Fire an error when trying to launch an app that is not
     // yet fully installed.
     if (app.installState == "pending") {
       aOnFailure("PENDING_APP_NOT_LAUNCHABLE");
       return;
     }
 
-    // Check if launching trusted hosted app
-    if (this.kTrustedHosted == app.kind) {
-      debug("Launching Trusted Hosted App!");
-      // sanity check on manifest host's CA
-      // (proper CA check with pinning is done by regular networking code)
-      if (!TrustedHostedAppsUtils.isHostPinned(aManifestURL)) {
-        debug("Trusted App Host certificate Not OK");
-        aOnFailure("TRUSTED_APPLICATION_HOST_CERTIFICATE_INVALID");
-        return;
-      }
-
-      debug("Trusted App Host pins exist");
-      if (!TrustedHostedAppsUtils.verifyCSPWhiteList(app.csp)) {
-        aOnFailure("TRUSTED_APPLICATION_WHITELIST_VALIDATION_FAILED");
-        return;
-      }
-    }
-
     // We have to clone the app object as nsIDOMApplication objects are
     // stringified as an empty object. (see bug 830376)
     let appClone = AppsUtils.cloneAppObject(app);
     appClone.startPoint = aStartPoint;
     appClone.timestamp = aTimeStamp;
     Services.obs.notifyObservers(null, "webapps-launch", JSON.stringify(appClone));
     aOnSuccess();
   },
@@ -1924,19 +1900,17 @@ this.DOMApplicationRegistry = {
     MessageBroadcaster.broadcastMessage("Webapps:FireEvent", {
       eventType: "downloadapplied",
       manifestURL: app.manifestURL
     });
   }),
 
   startOfflineCacheDownload: function(aManifest, aApp, aProfileDir, aIsUpdate) {
     debug("startOfflineCacheDownload " + aApp.id + " " + aApp.kind);
-    if ((aApp.kind !== this.kHostedAppcache &&
-         aApp.kind !== this.kTrustedHosted) ||
-         !aManifest.appcache_path) {
+    if (aApp.kind !== this.kHostedAppcache || !aManifest.appcache_path) {
       return;
     }
     debug("startOfflineCacheDownload " + aManifest.appcache_path);
 
     // If the manifest has an appcache_path property, use it to populate the
     // appcache.
     let appcacheURI = Services.io.newURI(aManifest.fullAppcachePath(),
                                          null, null);
@@ -2067,18 +2041,17 @@ this.DOMApplicationRegistry = {
 
 #ifdef MOZ_WIDGET_GONK
     let appDir = FileUtils.getDir("coreAppsDir", ["webapps"], false);
     onlyCheckAppCache = (app.basePath == appDir.path);
 #endif
 
     if (onlyCheckAppCache) {
       // Bail out for packaged apps & hosted apps without appcache.
-      if (aApp.kind !== this.kHostedAppcache &&
-          aApp.kind !== this.kTrustedHosted) {
+      if (aApp.kind !== this.kHostedAppcache) {
         sendError("NOT_UPDATABLE");
         return;
       }
 
       // We need the manifest to get the appcache path.
       this._readManifests([{ id: id }]).then((aResult) => {
         debug("Checking only appcache for " + aData.manifestURL);
         let manifest = aResult[0].manifest;
@@ -2182,26 +2155,17 @@ this.DOMApplicationRegistry = {
             if (oldHash == hash) {
               debug("Update - oldhash");
               this.updateHostedApp(aData, id, app, oldManifest, null);
               return;
             }
 
             // For hosted apps and hosted apps with appcache, use the
             // manifest "as is".
-            if (this.kTrustedHosted !== this.appKind(app, manifest)) {
-              this.updateHostedApp(aData, id, app, oldManifest, manifest);
-              return;
-            }
-
-            // For trusted hosted apps, verify the manifest before
-            // installation.
-            TrustedHostedAppsUtils.verifyManifest(app, id, manifest)
-              .then(() => this.updateHostedApp(aData, id, app, oldManifest, manifest),
-                sendError);
+            this.updateHostedApp(aData, id, app, oldManifest, manifest);
           }
         }
       } else if (xhr.status == 304) {
         // The manifest has not changed.
         if (isPackage) {
           app.lastCheckedUpdate = Date.now();
           this._saveApps().then(() => {
             // If the app is a packaged app, we just send a 'downloadapplied'
@@ -2370,19 +2334,17 @@ this.DOMApplicationRegistry = {
       aApp.csp = manifest.csp || "";
       aApp.updateTime = Date.now();
     }
 
     // Update the registry.
     this.webapps[aId] = aApp;
     yield this._saveApps();
 
-    if ((aApp.kind !== this.kHostedAppcache &&
-         aApp.kind !== this.kTrustedHosted) ||
-         !aApp.manifest.appcache_path) {
+    if (aApp.kind !== this.kHostedAppcache || !aApp.manifest.appcache_path) {
       MessageBroadcaster.broadcastMessage("Webapps:UpdateState", {
         app: aApp,
         manifest: aApp.manifest,
         id: aApp.id
       });
       MessageBroadcaster.broadcastMessage("Webapps:FireEvent", {
         eventType: "downloadapplied",
         manifestURL: aApp.manifestURL,
@@ -2528,22 +2490,17 @@ this.DOMApplicationRegistry = {
     // failure in sendError.
     this.pushContentAction(aData.oid);
 
     // We may already have the manifest (e.g. AutoInstall),
     // in which case we don't need to load it.
     if (app.manifest) {
       if (checkManifest()) {
         debug("Installed manifest check OK");
-        if (this.kTrustedHosted !== this.appKind(app, app.manifest)) {
-          installApp();
-          return;
-        }
-        TrustedHostedAppsUtils.verifyManifest(aData.app, aData.appId, app.manifest)
-          .then(installApp, sendError);
+        installApp();
       } else {
         debug("Installed manifest check failed");
         // checkManifest() sends error before return
       }
       return;
     }
 
     let xhr = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
@@ -2561,24 +2518,17 @@ this.DOMApplicationRegistry = {
           sendError("INVALID_MANIFEST_CONTENT_TYPE");
           return;
         }
 
         app.manifest = xhr.response;
         if (checkManifest()) {
           debug("Downloaded manifest check OK");
           app.etag = xhr.getResponseHeader("Etag");
-          if (this.kTrustedHosted !== this.appKind(app, app.manifest)) {
-            installApp();
-            return;
-          }
-
-          debug("App kind: " + this.kTrustedHosted);
-          TrustedHostedAppsUtils.verifyManifest(aData.app, aData.appId, app.manifest)
-            .then(installApp, sendError);
+          installApp();
           return;
         } else {
           debug("Downloaded manifest check failed");
           // checkManifest() sends error before return
         }
       } else {
         sendError("MANIFEST_URL_ERROR");
       }
@@ -2827,34 +2777,30 @@ this.DOMApplicationRegistry = {
   },
 
   _cloneApp: function(aData, aNewApp, aLocaleManifest, aManifest, aId, aLocalId) {
     let appObject = AppsUtils.cloneAppObject(aNewApp);
     appObject.appStatus =
       aNewApp.appStatus || Ci.nsIPrincipal.APP_STATUS_INSTALLED;
 
     let usesAppcache = appObject.kind == this.kHostedAppcache;
-    if (appObject.kind == this.kTrustedHosted && aManifest.appcache_path) {
-      usesAppcache = true;
-    }
 
     if (usesAppcache) {
       appObject.installState = "pending";
       appObject.downloadAvailable = true;
       appObject.downloading = true;
       appObject.downloadSize = 0;
       appObject.readyToApplyDownload = false;
     } else if (appObject.kind == this.kPackaged) {
       appObject.installState = "pending";
       appObject.downloadAvailable = true;
       appObject.downloading = true;
       appObject.downloadSize = aLocaleManifest.size;
       appObject.readyToApplyDownload = false;
-    } else if (appObject.kind == this.kHosted ||
-               appObject.kind == this.kTrustedHosted) {
+    } else if (appObject.kind == this.kHosted) {
       appObject.installState = "installed";
       appObject.downloadAvailable = false;
       appObject.downloading = false;
       appObject.readyToApplyDownload = false;
     } else {
       debug("Unknown app kind: " + appObject.kind);
       throw Error("Unknown app kind: " + appObject.kind);
     }
@@ -3025,19 +2971,17 @@ this.DOMApplicationRegistry = {
 
     for (let prop of ["installState", "downloadAvailable", "downloading",
                            "downloadSize", "readyToApplyDownload"]) {
       aData.app[prop] = appObject[prop];
     }
 
     let dontNeedNetwork = false;
 
-    if ((appObject.kind == this.kHostedAppcache ||
-        appObject.kind == this.kTrustedHosted) &&
-        manifest.appcache_path) {
+    if (appObject.kind == this.kHostedAppcache && manifest.appcache_path) {
       this.queuedDownload[app.manifestURL] = {
         manifest: manifest,
         app: appObject,
         profileDir: aProfileDir
       }
     } else if (appObject.kind == this.kPackaged) {
       // If it is a local app then it must been installed from a local file
       // instead of web.
--- a/dom/apps/moz.build
+++ b/dom/apps/moz.build
@@ -43,17 +43,16 @@ EXTRA_JS_MODULES += [
 ]
 
 EXTRA_PP_JS_MODULES += [
     'AppsUtils.jsm',
     'ImportExport.jsm',
     'InterAppCommService.jsm',
     'OperatorApps.jsm',
     'ScriptPreloader.jsm',
-    'TrustedHostedAppsUtils.jsm',
     'Webapps.jsm',
 ]
 
 FAIL_ON_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
--- a/dom/apps/tests/chrome.ini
+++ b/dom/apps/tests/chrome.ini
@@ -3,15 +3,14 @@ skip-if = buildapp == 'b2g' || os == 'an
 support-files =
   asmjs/*
   file_bug_945152.html
   file_bug_945152.sjs
 
 [test_apps_service.xul]
 [test_bug_945152.html]
 skip-if = os != 'linux'
-[test_tha_utils.html]
 [test_manifest_helper.xul]
 [test_operator_app_install.js]
 [test_operator_app_install.xul]
 # bug 928262
  skip-if = os == "win"
 [test_packaged_app_asmjs.html]
--- a/dom/apps/tests/file_app.sjs
+++ b/dom/apps/tests/file_app.sjs
@@ -9,18 +9,17 @@ function makeResource(templatePath, vers
   let icon = getState('icon') || gDefaultIcon;
   var res = readTemplate(templatePath).replace(/VERSIONTOKEN/g, version)
                                       .replace(/APPTYPETOKEN/g, apptype)
                                       .replace(/ICONTOKEN/g, icon)
                                       .replace(/ROLE/g, role);
 
   // Hack - This is necessary to make the tests pass, but hbambas says it
   // shouldn't be necessary. Comment it out and watch the tests fail.
-  if (templatePath == gAppTemplatePath &&
-      (apptype == 'cached' || apptype == 'trusted')) {
+  if (templatePath == gAppTemplatePath && apptype == 'cached') {
     res = res.replace('<html>', '<html manifest="file_app.sjs?apptype=' + apptype + '&getappcache=true">');
   }
   return res;
 }
 
 function handleRequest(request, response) {
   var query = getQuery(request);
 
@@ -44,17 +43,17 @@ function handleRequest(request, response
     response.setHeader("Content-Type", "text/html", false);
     response.setHeader("Access-Control-Allow-Origin", "*", false);
     response.write('OK');
     return;
   }
 
   // Get the app type.
   var apptype = query.apptype;
-  if (apptype != 'hosted' && apptype != 'cached' && apptype != 'widget'  && apptype != 'invalidWidget' && apptype != 'trusted')
+  if (apptype != 'hosted' && apptype != 'cached' && apptype != 'widget'  && apptype != 'invalidWidget')
     throw "Invalid app type: " + apptype;
 
   var role = query.role;
 
   // Get the version from server state and handle the etag.
   var version = Number(getState('version'));
   var etag = getEtag(request, version);
   dump("Server Etag: " + etag + "\n");
@@ -85,17 +84,17 @@ function handleRequest(request, response
     response.write(makeResource(template, version, apptype, role));
     return;
   }
 
   // If apptype==cached, we might be generating the appcache manifest.
   //
   // NB: Among other reasons, we use the same sjs file here so that the version
   //     state is shared.
-  if ((apptype == 'cached' || apptype == 'trusted') &&
+  if ((apptype == 'cached') &&
       'getappcache' in query) {
     response.setHeader("Content-Type", "text/cache-manifest", false);
     response.write(makeResource(gAppcacheTemplatePath, version, apptype, role));
     return;
   }
   else if (apptype == 'widget' || apptype == 'invalidWidget')
   {
     response.setHeader("Content-Type", "text/html", false);
deleted file mode 100644
--- a/dom/apps/tests/file_trusted_app.template.webapp
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-  "type": "trusted",
-  "name": "Really Rapid Release (trusted)",
-  "description": "Updated even faster than <a href='http://mozilla.org'>Firefox</a>, just to annoy slashdotters.",
-  "launch_path": "/tests/dom/apps/tests/file_app.sjs?apptype=trusted",
-  "icons": {
-    "128": "ICONTOKEN"
-  },
-  "role": "ROLE"
-}
--- a/dom/apps/tests/mochitest.ini
+++ b/dom/apps/tests/mochitest.ini
@@ -13,17 +13,16 @@ support-files =
   file_script.template.js
   file_cached_app.template.appcache
   file_cached_app.template.webapp
   file_hosted_app.template.webapp
   file_hosted_certified.webapp
   file_hosted_certified.webapp^headers^
   file_manifest.json
   file_manifest.json^headers^
-  file_trusted_app.template.webapp
   file_invalidWidget_app.template.webapp
   file_packaged_app.sjs
   file_packaged_app.template.html
   file_packaged_app.template.webapp
   file_widget_app.template.webapp
   file_widget_app.template.html
   file_test_widget.js
   langpack/*
--- a/dom/apps/tests/test_app_update.html
+++ b/dom/apps/tests/test_app_update.html
@@ -12,23 +12,21 @@ https://bugzilla.mozilla.org/show_bug.cg
 
   /** Test for Bug 826058 **/
 
   SimpleTest.waitForExplicitFinish();
 
   var gBaseURL = 'http://test/tests/dom/apps/tests/';
   var gHostedManifestURL = gBaseURL + 'file_app.sjs?apptype=hosted&getmanifest=true';
   var gCachedManifestURL = gBaseURL + 'file_app.sjs?apptype=cached&getmanifest=true';
-  var gTrustedManifestURL = gBaseURL + 'file_app.sjs?apptype=trusted&getmanifest=true';
   var gGenerator;
   // We need to set the trusted hosted app csp pref since it's only in
   // b2g.js for now.
   function setCSPPrefs() {
-    SpecialPowers.pushPrefEnv({'set':[["security.apps.trusted.CSP.default",
-"default-src *; object-src 'none'"], ["dom.mozBrowserFramesEnabled",true]]},
+    SpecialPowers.pushPrefEnv({'set':[["dom.mozBrowserFramesEnabled",true]]},
       function() {  gGenerator = runTest(); gGenerator.next(); });
   }
 
   function go() {
     SpecialPowers.pushPermissions(
       [{ "type": "browser", "allow": 1, "context": document },
        { "type": "embed-apps", "allow": 1, "context": document },
        { "type": "webapps-manage", "allow": 1, "context": document }],
@@ -185,64 +183,16 @@ https://bugzilla.mozilla.org/show_bug.cg
 
 
     // Uninstall the hosted app.
     request = navigator.mozApps.mgmt.uninstall(app);
     request.onerror = mozAppsError;
     request.onsuccess = continueTest;
     yield undefined;
     info("Uninstalled hosted appcache app");
-
-    /**
-      * DISABLED FOR NOW UNTIL WE CAN TEST PINNING PROPERLY
-      */
-    // Install the trusted app.
-    /*setAppVersion(4, continueTest);
-    yield undefined;
-    ok(true, "Installing trusted app");
-    var request = navigator.mozApps.install(gTrustedManifestURL);
-    request.onerror = mozAppsError;
-    request.onsuccess = continueTest;
-    yield undefined;
-    var app = request.result;
-    ok(app, "App is non-null");
-    if (app.installState == "pending") {
-      ok(true, "App is pending. Waiting for progress");
-      app.onprogress = function() ok(true, "Got download progress");
-      app.ondownloadsuccess = continueTest;
-      app.ondownloaderror = mozAppsError;
-      yield undefined;
-    }
-    is(app.installState, "installed", "Trusted App is installed");
-    is(app.manifest.type, "trusted", "App is trusted");
-*/
-    // Check the cached app.
-    /*checkAppState(app, true, 4, continueTest);
-    yield undefined;*/
-
-    // Check for updates. The current infrastructure always returns a new appcache
-    // manifest, so there should always be an update.
-    /*var lastCheck = app.lastUpdateCheck;
-    ok(true, "Setting callbacks");
-    app.ondownloadapplied = function() ok(true, "downloadapplied fired.");
-    app.ondownloadavailable = function() ok(false, "downloadavailable fired");
-    ok(true, "Checking for updates");
-    var request = app.checkForUpdate();
-    request.onerror = mozAppsError;
-    request.onsuccess = continueTest;
-    yield undefined;
-    todo(app.lastUpdateCheck > lastCheck, "lastUpdateCheck updated appropriately");*/
-
-
-    // Uninstall the app.
-    /*request = navigator.mozApps.mgmt.uninstall(app);
-    request.onerror = mozAppsError;
-    request.onsuccess = continueTest;
-    yield undefined;
-    info("Uninstalled trusted app");*/
   }
 
   function setAppVersion(version, cb) {
     var xhr = new XMLHttpRequest();
     var url = gBaseURL + 'file_app.sjs?setVersion=' + version;
     xhr.addEventListener("load", function() { is(xhr.responseText, "OK", "setAppVersion OK"); cb(); });
     xhr.addEventListener("error", event => xhrError(event, url));
     xhr.addEventListener("abort", event => xhrAbort(url));
deleted file mode 100644
--- a/dom/apps/tests/test_tha_utils.html
+++ /dev/null
@@ -1,237 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>Test for Trusted Hosted Apps Utils</title>
-  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
-
-  <script type="application/javascript;version=1.7">
-  Components.utils.import("resource://gre/modules/TrustedHostedAppsUtils.jsm");
-
-  SimpleTest.waitForExplicitFinish();
-
-  let tests = [{
-    key: "getCSPWhiteList with no argument",
-    func: function test1() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList();
-      ok(!cspWhiteList.valid, "Should be invalid");
-      is(cspWhiteList.list.length, 0, "List should be empty");
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList without style-src",
-    func: function test2() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-src https://script.example.com; stylee-src https://style.example.com"
-      );
-      ok(!cspWhiteList.valid, "Should be invalid");
-      is(cspWhiteList.list.length, 0, "List should be empty");
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList without script-src",
-    func: function test3() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-source https://script.example.com; style-src https://style.example.com"
-      );
-      ok(!cspWhiteList.valid, "Should be invalid");
-      is(cspWhiteList.list.length, 0, "List should be empty");
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList without source",
-    func: function test4() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-src; style-src https://style.example.com"
-      );
-      ok(!cspWhiteList.valid, "Should be invalid");
-      is(cspWhiteList.list.length, 0, "List should be empty");
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList working",
-    func: function test5() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-src https://script.example.com; style-src https://style.example.com"
-      );
-      ok(cspWhiteList.valid, "Should be valid");
-      is(cspWhiteList.list.length, 2, "List should have two sources");
-      ok(cspWhiteList.list.every(aEl => ["https://script.example.com", "https://style.example.com"].indexOf(aEl) != -1), "Sources: " + cspWhiteList.list);
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList working with duplicates",
-    func: function test6() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-src https://script.example.com;" +
-        "style-src https://style.example.com;" +
-        "style-src https://style.example.com;" +
-        "style-src https://style.example.com;" +
-        "style-src https://style.example.com;"
-      );
-      ok(cspWhiteList.valid, "Should be valid");
-      is(cspWhiteList.list.length, 2, "List should have two sources");
-      ok(cspWhiteList.list.every(aEl => ["https://script.example.com", "https://style.example.com"].indexOf(aEl) != -1), "Sources: " + cspWhiteList.list);
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList working with duplicates and many sources",
-    func: function test7() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-src https://script.example.com https://script2.example.com;" +
-        "style-src https://style.example.com;" +
-        "style-src https://style.example.com https://script1.example.com;" +
-        "style-src https://style.example.com https://style2.example.com;" +
-        "style-src https://style3.example.com;"
-      );
-      ok(cspWhiteList.valid, "Should be valid");
-      is(cspWhiteList.list.length, 6, "List should have 6 sources");
-      ok(cspWhiteList.list.every(aEl => ["https://script.example.com",
-                                       "https://script1.example.com",
-                                       "https://script2.example.com",
-                                       "https://style.example.com",
-                                       "https://style2.example.com",
-                                       "https://style3.example.com"].indexOf(aEl) != -1),
-        "Sources: " + cspWhiteList.list);
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList only adds sources from required directives",
-    func: function test8() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-src https://script.example.com https://script2.example.com;" +
-        "style-src https://style.example.com;" +
-        "img-src https://img.example.com;" +
-        "audio-src https://audio.example.com https://audio2.example.com;" +
-        "video-src https://video.example.com;" +
-        "default-src *;" +
-        "media-src http://media.example.com;" +
-        "child-src http://child.example.com;" +
-        "frame-src http://frame.example.com;" +
-        "frame-ancestrs http://frame-a.example.com;" +
-        "font-src http://font.example.com;" +
-        "connect-src http://connect.example.com;"
-      );
-      ok(cspWhiteList.valid, "Should be valid");
-      is(cspWhiteList.list.length, 3, "List should have 3 sources");
-      ok(cspWhiteList.list.every(aEl => ["https://script.example.com",
-                                       "https://script2.example.com",
-                                       "https://style.example.com"].indexOf(aEl) != -1),
-        "Sources: " + cspWhiteList.list);
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList allows 'self' but doesn't add it",
-    func: function test9() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-src 'self';" +
-        "style-src 'self'"
-      );
-      ok(cspWhiteList.valid, "Should be valid");
-      is(cspWhiteList.list.length, 0, "List should have no source");
-      nextTest();
-    }
-  },{
-    key: "getCSPWhiteList allows *",
-    func: function test10() {
-      let cspWhiteList = TrustedHostedAppsUtils.getCSPWhiteList(
-        "script-src *;" +
-        "style-src https://style.example.com"
-      );
-      ok(cspWhiteList.valid, "Should be valid");
-      is(cspWhiteList.list.length, 2, "List should have 2 sources");
-      nextTest();
-    }
-  },{
-    key: "isHostPinned doesn't allow *",
-    func: function test11() {
-      let isHostPinned = TrustedHostedAppsUtils.isHostPinned("*");
-      ok(!isHostPinned, "Should not be pinned");
-      nextTest();
-    }
-  },{
-    key: "isHostPinned doesn't allow http urls",
-    func: function test12() {
-      let isHostPinned = TrustedHostedAppsUtils.isHostPinned("http://example.com");
-      ok(!isHostPinned, "Should not be pinned:(" + isHostPinned + ") http://example.com");
-      nextTest();
-    }
-  },{
-    key: "isHostPinned doesn't allow shema-less urls",
-    func: function test13() {
-      let isHostPinned = TrustedHostedAppsUtils.isHostPinned("example.com");
-      ok(!isHostPinned, "Should not be pinned:(" + isHostPinned + ") example.com");
-      nextTest();
-    }
-  },{
-    key: "isHostPinned doesn't allow 'unsafe-eval'",
-    func: function test14() {
-      let isHostPinned = TrustedHostedAppsUtils.isHostPinned("'unsafe-eval'");
-      ok(!isHostPinned, "Should not be pinned:(" + isHostPinned + ") 'unsafe-eval'");
-      nextTest();
-    }
-  },{
-    key: "isHostPinned doesn't allow 'unsafe-inline'",
-    func: function test15() {
-      let isHostPinned = TrustedHostedAppsUtils.isHostPinned("'unsafe-inline'");
-      ok(!isHostPinned, "Should not be pinned:(" + isHostPinned + ") 'unsafe-inline'");
-      nextTest();
-    }
-  },{
-    key: "isHostPinned doesn't allow foobar",
-    func: function test16() {
-      let isHostPinned = TrustedHostedAppsUtils.isHostPinned("foobar");
-      ok(!isHostPinned, "Should not be pinned:(" + isHostPinned + ") foobar");
-      nextTest();
-    }
-  },{
-    key: "isHostPinned doesn't allow https://www.example.com:*",
-    func: function test17() {
-      let isHostPinned = TrustedHostedAppsUtils.isHostPinned("https://example.com:*");
-      ok(!isHostPinned, "Should not be pinned:(" + isHostPinned + ") https://example.com:*");
-      nextTest();
-    }
-
-  },{
-    key: "isHostPinned doesn't allow https://*.example.com",
-    func: function test18() {
-      let isHostPinned = TrustedHostedAppsUtils.isHostPinned("https://*.example.com");
-      ok(!isHostPinned, "Should not be pinned:(" + isHostPinned + ") https://*.example.com");
-      nextTest();
-    }
-  }];
-
-  let testGenerator = function _testGenerator() {
-    for (let i = 0; i < tests.length; ++i) {
-      yield tests[i];
-    }
-  }();
-
-  let nextTest = () => {
-    try {
-      let t = testGenerator.next();
-      info("test: " + t.key);
-      t.func();
-    } catch(e) {
-      if (e instanceof StopIteration) {
-        SimpleTest.finish();
-      } else {
-        throw e;
-      }
-    }
-  }
-
-  document.addEventListener("DOMContentLoaded", function () {
-    nextTest();
-  });
-
-  </script>
-</head>
-<body>
-  <p id="display"></p>
-  <div id="content" style="display: none"></div>
-  <pre id="test"></pre>
-  <div id="container"></div>
-</body>
-</html>
--- a/dom/messages/SystemMessagePermissionsChecker.jsm
+++ b/dom/messages/SystemMessagePermissionsChecker.jsm
@@ -224,22 +224,22 @@ this.SystemMessagePermissionsChecker = {
    *        The app's manifest.
    * @returns bool
    *        Is permitted or not.
    **/
   isSystemMessagePermittedToRegister: function (aSysMsgName,
                                                 aManifestURL,
                                                 aOrigin,
                                                 aManifest) {
-      // Test if the launch path of the app has the right permission.
-      let newManifest = new ManifestHelper(aManifest, aOrigin, aManifestURL);
-      let launchUrl = newManifest.fullLaunchPath();
-      return this.isSystemMessagePermittedToSend(aSysMsgName,
-                                                 launchUrl,
-                                                 aManifestURL);
+    // Test if the launch path of the app has the right permission.
+    let newManifest = new ManifestHelper(aManifest, aOrigin, aManifestURL);
+    let launchUrl = newManifest.fullLaunchPath();
+    return this.isSystemMessagePermittedToSend(aSysMsgName,
+                                               launchUrl,
+                                               aManifestURL);
   },
 
   /**
    * Check if the system message is permitted to be sent to the given
    * app's page at run-time based on the current app's permissions.
    * @param string aSysMsgName
    *        The system messsage name.
    * @param string aPageURL
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -79,26 +79,16 @@ AppTrustDomain::SetTrustedRoot(AppTruste
       mMinRSABits = 1024u;
       break;
 
     case nsIX509CertDB::AppXPCShellRoot:
       trustedDER.data = const_cast<uint8_t*>(xpcshellRoot);
       trustedDER.len = mozilla::ArrayLength(xpcshellRoot);
       break;
 
-    case nsIX509CertDB::TrustedHostedAppPublicRoot:
-      trustedDER.data = const_cast<uint8_t*>(trustedAppPublicRoot);
-      trustedDER.len = mozilla::ArrayLength(trustedAppPublicRoot);
-      break;
-
-    case nsIX509CertDB::TrustedHostedAppTestRoot:
-      trustedDER.data = const_cast<uint8_t*>(trustedAppTestRoot);
-      trustedDER.len = mozilla::ArrayLength(trustedAppTestRoot);
-      break;
-
     case nsIX509CertDB::AddonsPublicRoot:
       trustedDER.data = const_cast<uint8_t*>(addonsPublicRoot);
       trustedDER.len = mozilla::ArrayLength(addonsPublicRoot);
       break;
 
     case nsIX509CertDB::AddonsStageRoot:
       trustedDER.data = const_cast<uint8_t*>(addonsStageRoot);
       trustedDER.len = mozilla::ArrayLength(addonsStageRoot);
--- a/security/manager/ssl/nsIX509CertDB.idl
+++ b/security/manager/ssl/nsIX509CertDB.idl
@@ -41,17 +41,17 @@ interface nsIVerifySignedManifestCallbac
   void verifySignedManifestFinished(in nsresult rv,
                                     in nsIX509Cert aSignerCert);
 };
 
 /**
  * This represents a service to access and manipulate
  * X.509 certificates stored in a database.
  */
-[scriptable, uuid(fbe2a0c8-ec51-4ea4-80b3-e16793141967)]
+[scriptable, uuid(c9fdec46-5c4c-4b1d-a0ca-c2bc10151b69)]
 interface nsIX509CertDB : nsISupports {
 
   /**
    *  Constants that define which usages a certificate
    *  is trusted for.
    */
   const unsigned long UNTRUSTED       =      0;
   const unsigned long TRUSTED_SSL     = 1 << 0;
@@ -311,20 +311,18 @@ interface nsIX509CertDB : nsISupports {
    *  first step in opening the JAR.
    */
   const AppTrustedRoot AppMarketplaceProdPublicRoot = 1;
   const AppTrustedRoot AppMarketplaceProdReviewersRoot = 2;
   const AppTrustedRoot AppMarketplaceDevPublicRoot = 3;
   const AppTrustedRoot AppMarketplaceDevReviewersRoot = 4;
   const AppTrustedRoot AppMarketplaceStageRoot = 5;
   const AppTrustedRoot AppXPCShellRoot = 6;
-  const AppTrustedRoot TrustedHostedAppPublicRoot = 7;
-  const AppTrustedRoot TrustedHostedAppTestRoot = 8;
-  const AppTrustedRoot AddonsPublicRoot = 9;
-  const AppTrustedRoot AddonsStageRoot = 10;
+  const AppTrustedRoot AddonsPublicRoot = 7;
+  const AppTrustedRoot AddonsStageRoot = 8;
   void openSignedAppFileAsync(in AppTrustedRoot trustedRoot,
                               in nsIFile aJarFile,
                               in nsIOpenSignedAppFileCallback callback);
 
   /**
    *  Verifies the signature on a directory representing an unpacked signed
    *  JAR file. To be considered valid, there must be exactly one signature
    *  on the directory structure and that signature must have signed every