Bug 1439713 - Change nsIContentPolicy shouldLoad to take an <uri, loadInfo> pair instead of the various args. r=bz
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Thu, 29 Mar 2018 12:16:23 +0200
changeset 464211 22d7899c79f85237e8590843efd729e69996deb2
parent 464210 902feab0373f7d5c73ca98999f8ef8b786d17aeb
child 464212 65df341041e1d2c1db4294fc6e51f6ede99052df
push id9165
push userasasaki@mozilla.com
push dateThu, 26 Apr 2018 21:04:54 +0000
treeherdermozilla-beta@064c3804de2e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1439713
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1439713 - Change nsIContentPolicy shouldLoad to take an <uri, loadInfo> pair instead of the various args. r=bz
docshell/base/nsDocShell.cpp
dom/base/nsContentPolicy.cpp
dom/base/nsContentPolicy.h
dom/base/nsContentPolicyUtils.h
dom/base/nsContentUtils.cpp
dom/base/nsContentUtils.h
dom/base/nsDataDocumentContentPolicy.cpp
dom/base/nsIContentPolicy.idl
dom/base/nsNoDataProtocolContentPolicy.cpp
dom/base/nsObjectLoadingContent.cpp
dom/html/ImageDocument.cpp
dom/plugins/base/nsPluginStreamListenerPeer.cpp
dom/script/ScriptLoader.cpp
dom/security/nsCSPService.cpp
dom/security/nsContentSecurityManager.cpp
dom/security/nsMixedContentBlocker.cpp
dom/serviceworkers/ServiceWorkerEvents.cpp
dom/serviceworkers/ServiceWorkerManager.cpp
dom/websocket/WebSocket.cpp
dom/xml/nsXMLContentSink.cpp
extensions/permissions/nsContentBlocker.cpp
image/imgLoader.cpp
layout/style/FontFaceSet.cpp
layout/style/Loader.cpp
mobile/android/components/ImageBlockingPolicy.js
netwerk/base/LoadInfo.cpp
netwerk/base/nsILoadInfo.idl
toolkit/components/browser/nsWebBrowserContentPolicy.cpp
toolkit/modules/addons/WebRequestContent.js
toolkit/mozapps/extensions/AddonContentPolicy.cpp
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -9542,26 +9542,29 @@ nsDocShell::InternalLoad(nsIURI* aURI,
     // argument to pass a specific identifier.
     nsCOMPtr<nsISupportsString> extraStr =
       do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID, &rv);
     NS_ENSURE_SUCCESS(rv, rv);
     NS_NAMED_LITERAL_STRING(msg, "conPolCheckFromDocShell");
     rv = extraStr->SetData(msg);
     NS_ENSURE_SUCCESS(rv, rv);
 
+    // Ideally we should use the same loadinfo as within DoURILoad which
+    // should match this one when both are applicable.
+    nsCOMPtr<nsPIDOMWindowOuter> loadingWindow = mScriptGlobal->AsOuter();
+    nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+      new LoadInfo(loadingWindow,
+                   aTriggeringPrincipal,
+                   requestingContext,
+                   nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK);
+
     int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-    rv = NS_CheckContentLoadPolicy(contentType,
-                                   aURI,
-                                   // This is a top-level load, so the loading
-                                   // principal is null.
-                                   nullptr,
-                                   aTriggeringPrincipal,
-                                   requestingContext,
+    rv = NS_CheckContentLoadPolicy(aURI,
+                                   secCheckLoadInfo,
                                    EmptyCString(),  // mime guess
-                                   extraStr,  // extra
                                    &shouldLoad);
 
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
       if (NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) {
         return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
       }
 
       return NS_ERROR_CONTENT_BLOCKED;
--- a/dom/base/nsContentPolicy.cpp
+++ b/dom/base/nsContentPolicy.cpp
@@ -42,18 +42,16 @@ NS_NewContentPolicy(nsIContentPolicy **a
 {
   *aResult = new nsContentPolicy;
   NS_ADDREF(*aResult);
   return NS_OK;
 }
 
 nsContentPolicy::nsContentPolicy()
     : mPolicies(NS_CONTENTPOLICY_CATEGORY)
-    , mMixedContentBlocker(do_GetService(NS_MIXEDCONTENTBLOCKER_CONTRACTID))
-    , mCSPService(do_GetService(CSPSERVICE_CONTRACTID))
 {
 }
 
 nsContentPolicy::~nsContentPolicy()
 {
 }
 
 #ifdef DEBUG
@@ -71,25 +69,30 @@ nsContentPolicy::~nsContentPolicy()
 #else  // ! defined(DEBUG)
 
 #define WARN_IF_URI_UNINITIALIZED(uri,name)
 
 #endif // defined(DEBUG)
 
 inline nsresult
 nsContentPolicy::CheckPolicy(CPMethod          policyMethod,
-                             nsContentPolicyType contentType,
                              nsIURI           *contentLocation,
-                             nsIURI           *requestingLocation,
-                             nsISupports      *requestingContext,
+                             nsILoadInfo      *loadInfo,
                              const nsACString &mimeType,
-                             nsISupports      *extra,
-                             nsIPrincipal     *requestPrincipal,
                              int16_t           *decision)
 {
+    nsContentPolicyType contentType = loadInfo->InternalContentPolicyType();
+    nsCOMPtr<nsISupports> requestingContext = loadInfo->GetLoadingContext();
+    nsCOMPtr<nsIPrincipal> requestPrincipal = loadInfo->TriggeringPrincipal();
+    nsCOMPtr<nsIURI> requestingLocation;
+    nsCOMPtr<nsIPrincipal> loadingPrincipal = loadInfo->LoadingPrincipal();
+    if (loadingPrincipal) {
+      loadingPrincipal->GetURI(getter_AddRefs(requestingLocation));
+    }
+
     //sanity-check passed-through parameters
     NS_PRECONDITION(decision, "Null out pointer");
     WARN_IF_URI_UNINITIALIZED(contentLocation, "Request URI");
     WARN_IF_URI_UNINITIALIZED(requestingLocation, "Requesting URI");
 
 #ifdef DEBUG
     {
         nsCOMPtr<nsIDOMNode> node(do_QueryInterface(requestingContext));
@@ -142,25 +145,18 @@ nsContentPolicy::CheckPolicy(CPMethod   
         if (csp && window) {
             csp->EnsureEventTarget(window->EventTargetFor(mozilla::TaskCategory::Other));
         }
     }
 
     int32_t count = entries.Count();
     for (int32_t i = 0; i < count; i++) {
         /* check the appropriate policy */
-        // Send internal content policy type to CSP and mixed content blocker
-        nsContentPolicyType type = externalType;
-        if (mMixedContentBlocker == entries[i] || mCSPService == entries[i]) {
-          type = contentType;
-        }
-        rv = (entries[i]->*policyMethod)(type, contentLocation,
-                                         requestingLocation, requestingContext,
-                                         mimeType, extra, requestPrincipal,
-                                         decision);
+        rv = (entries[i]->*policyMethod)(contentLocation, loadInfo,
+                                         mimeType, decision);
 
         if (NS_SUCCEEDED(rv) && NS_CP_REJECTED(*decision)) {
             // If we are blocking an image, we have to let the
             // ImageLoadingContent know that we blocked the load.
             if (externalType == nsIContentPolicy::TYPE_IMAGE ||
                 externalType == nsIContentPolicy::TYPE_IMAGESET) {
               nsCOMPtr<nsIImageLoadingContent> img =
                 do_QueryInterface(requestingContext);
@@ -177,16 +173,21 @@ nsContentPolicy::CheckPolicy(CPMethod   
     *decision = nsIContentPolicy::ACCEPT;
     return NS_OK;
 }
 
 //uses the parameters from ShouldXYZ to produce and log a message
 //logType must be a literal string constant
 #define LOG_CHECK(logType)                                                     \
   PR_BEGIN_MACRO                                                               \
+    nsCOMPtr<nsIURI> requestingLocation;                                       \
+    nsCOMPtr<nsIPrincipal> loadingPrincipal = loadInfo->LoadingPrincipal();    \
+    if (loadingPrincipal) {                                                    \
+      loadingPrincipal->GetURI(getter_AddRefs(requestingLocation));            \
+    }                                                                          \
     /* skip all this nonsense if the call failed or logging is disabled */     \
     if (NS_SUCCEEDED(rv) && MOZ_LOG_TEST(gConPolLog, LogLevel::Debug)) {       \
       const char *resultName;                                                  \
       if (decision) {                                                          \
         resultName = NS_CP_ResponseName(*decision);                            \
       } else {                                                                 \
         resultName = "(null ptr)";                                             \
       }                                                                        \
@@ -197,48 +198,36 @@ nsContentPolicy::CheckPolicy(CPMethod   
               requestingLocation ? requestingLocation->GetSpecOrDefault().get()\
                                  : "None",                                     \
               resultName)                                                      \
              );                                                                \
     }                                                                          \
   PR_END_MACRO
 
 NS_IMETHODIMP
-nsContentPolicy::ShouldLoad(uint32_t          contentType,
-                            nsIURI           *contentLocation,
-                            nsIURI           *requestingLocation,
-                            nsISupports      *requestingContext,
+nsContentPolicy::ShouldLoad(nsIURI           *contentLocation,
+                            nsILoadInfo      *loadInfo,
                             const nsACString &mimeType,
-                            nsISupports      *extra,
-                            nsIPrincipal     *requestPrincipal,
                             int16_t          *decision)
 {
     // ShouldProcess does not need a content location, but we do
     NS_PRECONDITION(contentLocation, "Must provide request location");
     nsresult rv = CheckPolicy(&nsIContentPolicy::ShouldLoad,
-                              contentType,
-                              contentLocation, requestingLocation,
-                              requestingContext, mimeType, extra,
-                              requestPrincipal, decision);
+                              contentLocation, loadInfo,
+                              mimeType, decision);
     LOG_CHECK("ShouldLoad");
 
     return rv;
 }
 
 NS_IMETHODIMP
-nsContentPolicy::ShouldProcess(uint32_t          contentType,
-                               nsIURI           *contentLocation,
-                               nsIURI           *requestingLocation,
-                               nsISupports      *requestingContext,
+nsContentPolicy::ShouldProcess(nsIURI           *contentLocation,
+                               nsILoadInfo      *loadInfo,
                                const nsACString &mimeType,
-                               nsISupports      *extra,
-                               nsIPrincipal     *requestPrincipal,
                                int16_t          *decision)
 {
     nsresult rv = CheckPolicy(&nsIContentPolicy::ShouldProcess,
-                              contentType,
-                              contentLocation, requestingLocation,
-                              requestingContext, mimeType, extra,
-                              requestPrincipal, decision);
+                              contentLocation, loadInfo,
+                              mimeType, decision);
     LOG_CHECK("ShouldProcess");
 
     return rv;
 }
--- a/dom/base/nsContentPolicy.h
+++ b/dom/base/nsContentPolicy.h
@@ -24,29 +24,24 @@ class nsContentPolicy : public nsIConten
 
  protected:
     virtual ~nsContentPolicy();
 
  private:
     //Array of policies
     nsCategoryCache<nsIContentPolicy> mPolicies;
 
-    nsCOMPtr<nsIContentPolicy> mMixedContentBlocker;
-    nsCOMPtr<nsIContentPolicy> mCSPService;
-
     //Helper type for CheckPolicy
     typedef decltype(&nsIContentPolicy::ShouldProcess) CPMethod;
 
     //Helper method that applies policyMethod across all policies in mPolicies
     // with the given parameters
     nsresult CheckPolicy(CPMethod policyMethod,
-                         nsContentPolicyType contentType,
-                         nsIURI *aURI, nsIURI *origURI,
-                         nsISupports *requestingContext,
-                         const nsACString &mimeGuess, nsISupports *extra,
-                         nsIPrincipal *requestPrincipal,
+                         nsIURI *aURI, 
+                         nsILoadInfo *aLoadInfo,
+                         const nsACString &mimeGuess,
                          int16_t *decision);
 };
 
 nsresult
 NS_NewContentPolicy(nsIContentPolicy **aResult);
 
 #endif /* __nsContentPolicy_h__ */
--- a/dom/base/nsContentPolicyUtils.h
+++ b/dom/base/nsContentPolicyUtils.h
@@ -145,27 +145,23 @@ NS_CP_ContentTypeName(uint32_t contentTy
 /* Passes on parameters from its "caller"'s context. */
 #define CHECK_CONTENT_POLICY(action)                                          \
   PR_BEGIN_MACRO                                                              \
     nsCOMPtr<nsIContentPolicy> policy =                                       \
          do_GetService(NS_CONTENTPOLICY_CONTRACTID);                          \
     if (!policy)                                                              \
         return NS_ERROR_FAILURE;                                              \
                                                                               \
-    return policy-> action (contentType, contentLocation, requestOrigin,      \
-                            context, mimeType, extra, triggeringPrincipal,    \
-                            decision);                                        \
+    return policy-> action (contentLocation, loadInfo, mimeType, decision);   \
   PR_END_MACRO
 
 /* Passes on parameters from its "caller"'s context. */
 #define CHECK_CONTENT_POLICY_WITH_SERVICE(action, _policy)                    \
   PR_BEGIN_MACRO                                                              \
-    return _policy-> action (contentType, contentLocation, requestOrigin,     \
-                             context, mimeType, extra, triggeringPrincipal,   \
-                             decision);                                       \
+    return _policy-> action (contentLocation, loadInfo, mimeType, decision);  \
   PR_END_MACRO
 
 /**
  * Check whether we can short-circuit this check and bail out.  If not, get the
  * origin URI to use.
  *
  * Note: requestOrigin is scoped outside the PR_BEGIN_MACRO/PR_END_MACRO on
  * purpose */
@@ -188,22 +184,18 @@ NS_CP_ContentTypeName(uint32_t contentTy
           if (n) {                                                            \
               nsIDocument* d = n->OwnerDoc();                                 \
               if (d->IsLoadedAsData() || d->IsBeingUsedAsImage() ||           \
                   d->IsResourceDoc()) {                                       \
                   nsCOMPtr<nsIContentPolicy> dataPolicy =                     \
                       do_GetService(                                          \
                               "@mozilla.org/data-document-content-policy;1"); \
                   if (dataPolicy) {                                           \
-                      nsContentPolicyType externalType =                      \
-                          nsContentUtils::InternalContentPolicyTypeToExternal(contentType); \
-                      dataPolicy-> action (externalType, contentLocation,     \
-                                           requestOrigin, context,            \
-                                           mimeType, extra,                   \
-                                           triggeringPrincipal, decision);    \
+                      dataPolicy-> action (contentLocation, loadInfo,         \
+                                           mimeType, decision);               \
                   }                                                           \
               }                                                               \
           }                                                                   \
           return NS_OK;                                                       \
       }                                                                       \
       nsresult rv = loadingPrincipal->GetURI(getter_AddRefs(requestOrigin));  \
       NS_ENSURE_SUCCESS(rv, rv);                                              \
   }                                                                           \
@@ -215,54 +207,45 @@ NS_CP_ContentTypeName(uint32_t contentTy
  * and triggeringPrincipal parameters (which should be non-null if possible,
  * and have the same semantics as in nsLoadInfo), and the last parameter,
  * which can be used to pass in a pointer to a useful service if the caller
  * already has it.  The origin URI to pass to shouldLoad will be the URI of
  * loadingPrincipal, unless loadingPrincipal is null (in which case a null
  * origin URI will be passed).
  */
 inline nsresult
-NS_CheckContentLoadPolicy(uint32_t          contentType,
-                          nsIURI           *contentLocation,
-                          nsIPrincipal     *loadingPrincipal,
-                          nsIPrincipal     *triggeringPrincipal,
-                          nsISupports      *context,
+NS_CheckContentLoadPolicy(nsIURI           *contentLocation,
+                          nsILoadInfo      *loadInfo,
                           const nsACString &mimeType,
-                          nsISupports      *extra,
                           int16_t          *decision,
                           nsIContentPolicy *policyService = nullptr)
 {
+    nsIPrincipal* loadingPrincipal = loadInfo->LoadingPrincipal();
+    nsCOMPtr<nsISupports> context = loadInfo->GetLoadingContext();
+    nsContentPolicyType contentType = loadInfo->InternalContentPolicyType();
     CHECK_PRINCIPAL_AND_DATA(ShouldLoad);
     if (policyService) {
         CHECK_CONTENT_POLICY_WITH_SERVICE(ShouldLoad, policyService);
     }
     CHECK_CONTENT_POLICY(ShouldLoad);
 }
 
 /**
- * Alias for calling ShouldProcess on the content policy service.  Parameters
- * are the same as nsIContentPolicy::shouldLoad, except for the and
- * triggeringPrincipal parameters (which should be non-null if possible, and
- * have the same semantics as in nsLoadInfo), and the last parameter, which
- * can be used to pass in a pointer to a useful service if the caller already
- * has it.  The origin URI to pass to shouldLoad will be the URI of
- * loadingPrincipal, unless loadingPrincipal is null (in which case a null
- * origin URI will be passed).
+ * Alias for calling ShouldProcess on the content policy service.
  */
 inline nsresult
-NS_CheckContentProcessPolicy(uint32_t          contentType,
-                             nsIURI           *contentLocation,
-                             nsIPrincipal     *loadingPrincipal,
-                             nsIPrincipal     *triggeringPrincipal,
-                             nsISupports      *context,
+NS_CheckContentProcessPolicy(nsIURI           *contentLocation,
+                             nsILoadInfo      *loadInfo,
                              const nsACString &mimeType,
-                             nsISupports      *extra,
                              int16_t          *decision,
                              nsIContentPolicy *policyService = nullptr)
 {
+    nsIPrincipal* loadingPrincipal = loadInfo->LoadingPrincipal();
+    nsCOMPtr<nsISupports> context = loadInfo->GetLoadingContext();
+    nsContentPolicyType contentType = loadInfo->InternalContentPolicyType();
     CHECK_PRINCIPAL_AND_DATA(ShouldProcess);
     if (policyService) {
         CHECK_CONTENT_POLICY_WITH_SERVICE(ShouldProcess, policyService);
     }
     CHECK_CONTENT_POLICY(ShouldProcess);
 }
 
 #undef CHECK_CONTENT_POLICY
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -3445,17 +3445,17 @@ nsContentUtils::GetContextForContent(con
     return nullptr;
   }
 
   return presShell->GetPresContext();
 }
 
 // static
 bool
-nsContentUtils::CanLoadImage(nsIURI* aURI, nsISupports* aContext,
+nsContentUtils::CanLoadImage(nsIURI* aURI, nsINode* aNode,
                              nsIDocument* aLoadingDocument,
                              nsIPrincipal* aLoadingPrincipal,
                              int16_t* aImageBlockingStatus,
                              uint32_t aContentType)
 {
   NS_PRECONDITION(aURI, "Must have a URI");
   NS_PRECONDITION(aLoadingDocument, "Must have a document");
   NS_PRECONDITION(aLoadingPrincipal, "Must have a loading principal");
@@ -3490,25 +3490,27 @@ nsContentUtils::CanLoadImage(nsIURI* aUR
         // Reject the request itself, not all requests to the relevant
         // server...
         *aImageBlockingStatus = nsIContentPolicy::REJECT_REQUEST;
       }
       return false;
     }
   }
 
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new LoadInfo(aLoadingPrincipal,
+                 aLoadingPrincipal, // triggering principal
+                 aNode,
+                 nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                 aContentType);
+
   int16_t decision = nsIContentPolicy::ACCEPT;
 
-  rv = NS_CheckContentLoadPolicy(aContentType,
-                                 aURI,
-                                 aLoadingPrincipal,
-                                 aLoadingPrincipal, // triggering principal
-                                 aContext,
+  rv = NS_CheckContentLoadPolicy(aURI, secCheckLoadInfo,
                                  EmptyCString(), //mime guess
-                                 nullptr,         //extra
                                  &decision,
                                  GetContentPolicy());
 
   if (aImageBlockingStatus) {
     *aImageBlockingStatus =
       NS_FAILED(rv) ? nsIContentPolicy::REJECT_REQUEST : decision;
   }
   return NS_FAILED(rv) ? false : NS_CP_ACCEPTED(decision);
--- a/dom/base/nsContentUtils.h
+++ b/dom/base/nsContentUtils.h
@@ -802,32 +802,32 @@ public:
    *         (if GetComposedDoc returns nullptr)
    */
   static nsIPresShell* GetPresShellForContent(const nsIContent* aContent);
 
   /**
    * Method to do security and content policy checks on the image URI
    *
    * @param aURI uri of the image to be loaded
-   * @param aContext the context the image is loaded in (eg an element)
+   * @param aNode, the context the image is loaded in (eg an element)
    * @param aLoadingDocument the document we belong to
    * @param aLoadingPrincipal the principal doing the load
    * @param [aContentPolicyType=nsIContentPolicy::TYPE_INTERNAL_IMAGE] (Optional)
    *        The CP content type to use
    * @param aImageBlockingStatus the nsIContentPolicy blocking status for this
    *        image.  This will be set even if a security check fails for the
    *        image, to some reasonable REJECT_* value.  This out param will only
    *        be set if it's non-null.
    * @return true if the load can proceed, or false if it is blocked.
    *         Note that aImageBlockingStatus, if set will always be an ACCEPT
    *         status if true is returned and always be a REJECT_* status if
    *         false is returned.
    */
   static bool CanLoadImage(nsIURI* aURI,
-                           nsISupports* aContext,
+                           nsINode* aNode,
                            nsIDocument* aLoadingDocument,
                            nsIPrincipal* aLoadingPrincipal,
                            int16_t* aImageBlockingStatus = nullptr,
                            uint32_t aContentPolicyType = nsIContentPolicy::TYPE_INTERNAL_IMAGE);
 
   /**
    * Returns true if objects in aDocument shouldn't initiate image loads.
    */
--- a/dom/base/nsDataDocumentContentPolicy.cpp
+++ b/dom/base/nsDataDocumentContentPolicy.cpp
@@ -32,25 +32,24 @@ HasFlags(nsIURI* aURI, uint32_t aURIFlag
   nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &hasFlags);
   return NS_SUCCEEDED(rv) && hasFlags;
 }
 
 // If you change DataDocumentContentPolicy, make sure to check that
 // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
 // nsContentPolicyUtils may not pass all the parameters to ShouldLoad.
 NS_IMETHODIMP
-nsDataDocumentContentPolicy::ShouldLoad(uint32_t aContentType,
-                                        nsIURI *aContentLocation,
-                                        nsIURI *aRequestingLocation,
-                                        nsISupports *aRequestingContext,
+nsDataDocumentContentPolicy::ShouldLoad(nsIURI *aContentLocation,
+                                        nsILoadInfo* aLoadInfo,
                                         const nsACString &aMimeGuess,
-                                        nsISupports *aExtra,
-                                        nsIPrincipal *aRequestPrincipal,
                                         int16_t *aDecision)
 {
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
+  nsCOMPtr<nsISupports> aRequestingContext = aLoadInfo->GetLoadingContext();
+
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
 
   *aDecision = nsIContentPolicy::ACCEPT;
   // Look for the document.  In most cases, aRequestingContext is a node.
   nsCOMPtr<nsIDocument> doc;
   nsCOMPtr<nsINode> node = do_QueryInterface(aRequestingContext);
   if (node) {
@@ -140,21 +139,15 @@ nsDataDocumentContentPolicy::ShouldLoad(
   // If you add more restrictions here, make sure to check that
   // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
   // nsContentPolicyUtils may not pass all the parameters to ShouldLoad
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsDataDocumentContentPolicy::ShouldProcess(uint32_t aContentType,
-                                           nsIURI *aContentLocation,
-                                           nsIURI *aRequestingLocation,
-                                           nsISupports *aRequestingContext,
+nsDataDocumentContentPolicy::ShouldProcess(nsIURI *aContentLocation,
+                                           nsILoadInfo *aLoadInfo,
                                            const nsACString &aMimeGuess,
-                                           nsISupports *aExtra,
-                                           nsIPrincipal *aRequestPrincipal,
                                            int16_t *aDecision)
 {
-  return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,
-                    aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,
-                    aDecision);
+  return ShouldLoad(aContentLocation, aLoadInfo, aMimeGuess, aDecision);
 }
--- a/dom/base/nsIContentPolicy.idl
+++ b/dom/base/nsIContentPolicy.idl
@@ -2,18 +2,17 @@
 /* vim: set ft=cpp tw=78 sw=2 et ts=8 : */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 interface nsIURI;
-interface nsIDOMNode;
-interface nsIPrincipal;
+interface nsILoadInfo;
 
 /**
  * The type of nsIContentPolicy::TYPE_*
  */
 typedef unsigned long nsContentPolicyType;
 
 /**
  * Interface for content policy mechanism.  Implementations of this
@@ -392,54 +391,27 @@ interface nsIContentPolicy : nsISupports
    */
   const short ACCEPT = 1;
 
   /**
    * Should the resource at this location be loaded?
    * ShouldLoad will be called before loading the resource at aContentLocation
    * to determine whether to start the load at all.
    *
-   * @param aContentType      the type of content being tested. This will be one
-   *                          one of the TYPE_* constants.
-   *
    * @param aContentLocation  the location of the content being checked; must
    *                          not be null
    *
-   * @param aRequestOrigin    OPTIONAL. the location of the resource that
-   *                          that is loading the request. This will generally
-   *                          be the URI of the loading principal for the
-   *                          resulting request (as determined by its
-   *                          LoadInfo), but may vary depending on the
-   *                          caller. Can be null if inapplicable.
-   *
-   * @param aContext          OPTIONAL. the nsIDOMNode or nsIDOMWindow that
-   *                          initiated the request, or something that can QI
-   *                          to one of those; can be null if inapplicable.
-   *                          Note that for navigation events (new windows and
-   *                          link clicks), this is the NEW window.
+   * @param aLoadInfo         the loadinfo of the channel being evaluated.
    *
    * @param aMimeTypeGuess    OPTIONAL. a guess for the requested content's
    *                          MIME type, based on information available to
    *                          the request initiator (e.g., an OBJECT's type
    *                          attribute); does not reliably reflect the
    *                          actual MIME type of the requested content
    *
-   * @param aExtra            an OPTIONAL argument, pass-through for non-Gecko
-   *                          callers to pass extra data to callees.
-   *
-   * @param aRequestPrincipal an OPTIONAL argument, defines the principal that
-   *                          caused the load. This is optional only for
-   *                          non-gecko code: all gecko code should set this
-   *                          argument. This should generally be the same as
-   *                          the triggering principal for the resulting
-   *                          request (as determined by its LoadInfo), but may
-   *                          vary depending on the caller. Sometimes it will
-   *                          be the loading principal or final channel
-   *                          principal instead.
-   *
    * @return ACCEPT or REJECT_*
    *
    * @note shouldLoad can be called while the DOM and layout of the document
    * involved is in an inconsistent state.  This means that implementors of
    * this method MUST NOT do any of the following:
    * 1)  Modify the DOM in any way (e.g. setting attributes is a no-no).
    * 2)  Query any DOM properties that depend on layout (e.g. offset*
    *     properties).
@@ -449,59 +421,39 @@ interface nsIContentPolicy : nsISupports
    * 5)  [JavaScript implementations only] Access properties of any sort on any
    *     object without using XPCNativeWrapper (either explicitly or
    *     implicitly).  Due to various DOM0 things, this leads to item 4.
    * If you do any of these things in your shouldLoad implementation, expect
    * unpredictable behavior, possibly including crashes, content not showing
    * up, content showing up doubled, etc.  If you need to do any of the things
    * above, do them off timeout or event.
    */
-  short shouldLoad(in nsContentPolicyType aContentType,
-                   in nsIURI        aContentLocation,
-                   in nsIURI        aRequestOrigin,
-                   in nsISupports   aContext,
-                   in ACString      aMimeTypeGuess,
-                   in nsISupports   aExtra,
-                   [optional] in nsIPrincipal  aRequestPrincipal);
+  short shouldLoad(in nsIURI      aContentLocation,
+                   in nsILoadInfo aLoadInfo,
+                   in ACString    aMimeTypeGuess);
 
   /**
    * Should the resource be processed?
    * ShouldProcess will be called once all the information passed to it has
    * been determined about the resource, typically after part of the resource
    * has been loaded.
    *
-   * @param aContentType      the type of content being tested. This will be one
-   *                          one of the TYPE_* constants.
-   *
    * @param aContentLocation  OPTIONAL; the location of the resource being
    *                          requested: MAY be, e.g., a post-redirection URI
    *                          for the resource.
    *
-   * @param aRequestOrigin    OPTIONAL. the location of the resource that
-   *                          initiated this load request; can be null if
-   *                          inapplicable
-   *
-   * @param aContext          OPTIONAL. the nsIDOMNode or nsIDOMWindow that
-   *                          initiated the request, or something that can QI
-   *                          to one of those; can be null if inapplicable.
+   * @param aLoadInfo         the loadinfo of the channel being evaluated.
    *
    * @param aMimeType         the MIME type of the requested resource (e.g.,
    *                          image/png), as reported by the networking library,
    *                          if available (may be empty if inappropriate for
    *                          the type, e.g., TYPE_REFRESH).
    *
-   * @param aExtra            an OPTIONAL argument, pass-through for non-Gecko
-   *                          callers to pass extra data to callees.
-   *
    * @return ACCEPT or REJECT_*
    *
    * @note shouldProcess can be called while the DOM and layout of the document
    * involved is in an inconsistent state.  See the note on shouldLoad to see
    * what this means for implementors of this method.
    */
-  short shouldProcess(in nsContentPolicyType aContentType,
-                      in nsIURI        aContentLocation,
-                      in nsIURI        aRequestOrigin,
-                      in nsISupports   aContext,
-                      in ACString      aMimeType,
-                      in nsISupports   aExtra,
-                      [optional] in nsIPrincipal  aRequestPrincipal);
+  short shouldProcess(in nsIURI      aContentLocation,
+                      in nsILoadInfo aLoadInfo,
+                      in ACString    aMimeType);
 };
--- a/dom/base/nsNoDataProtocolContentPolicy.cpp
+++ b/dom/base/nsNoDataProtocolContentPolicy.cpp
@@ -18,25 +18,23 @@
 #include "nsIExternalProtocolHandler.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "nsContentUtils.h"
 
 NS_IMPL_ISUPPORTS(nsNoDataProtocolContentPolicy, nsIContentPolicy)
 
 NS_IMETHODIMP
-nsNoDataProtocolContentPolicy::ShouldLoad(uint32_t aContentType,
-                                          nsIURI *aContentLocation,
-                                          nsIURI *aRequestingLocation,
-                                          nsISupports *aRequestingContext,
+nsNoDataProtocolContentPolicy::ShouldLoad(nsIURI *aContentLocation,
+                                          nsILoadInfo *aLoadInfo,
                                           const nsACString &aMimeGuess,
-                                          nsISupports *aExtra,
-                                          nsIPrincipal *aRequestPrincipal,
                                           int16_t *aDecision)
 {
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
+
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
 
   *aDecision = nsIContentPolicy::ACCEPT;
 
   // Don't block for TYPE_OBJECT since such URIs are sometimes loaded by the
   // plugin, so they don't necessarily open external apps
   // TYPE_WEBSOCKET loads can only go to ws:// or wss://, so we don't need to
@@ -66,21 +64,15 @@ nsNoDataProtocolContentPolicy::ShouldLoa
       *aDecision = nsIContentPolicy::REJECT_REQUEST;
     }
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsNoDataProtocolContentPolicy::ShouldProcess(uint32_t aContentType,
-                                             nsIURI *aContentLocation,
-                                             nsIURI *aRequestingLocation,
-                                             nsISupports *aRequestingContext,
+nsNoDataProtocolContentPolicy::ShouldProcess(nsIURI *aContentLocation,
+                                             nsILoadInfo* aLoadInfo,
                                              const nsACString &aMimeGuess,
-                                             nsISupports *aExtra,
-                                             nsIPrincipal *aRequestPrincipal,
                                              int16_t *aDecision)
 {
-  return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,
-                    aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,
-                    aDecision);
+  return ShouldLoad(aContentLocation, aLoadInfo, aMimeGuess, aDecision);
 }
--- a/dom/base/nsObjectLoadingContent.cpp
+++ b/dom/base/nsObjectLoadingContent.cpp
@@ -87,16 +87,17 @@
 #include "mozilla/EventStateManager.h"
 #include "mozilla/EventStates.h"
 #include "mozilla/IMEStateManager.h"
 #include "mozilla/widget/IMEData.h"
 #include "mozilla/IntegerPrintfMacros.h"
 #include "mozilla/dom/HTMLObjectElementBinding.h"
 #include "mozilla/dom/HTMLEmbedElement.h"
 #include "mozilla/dom/HTMLObjectElement.h"
+#include "mozilla/LoadInfo.h"
 #include "nsChannelClassifier.h"
 #include "nsFocusManager.h"
 
 #ifdef XP_WIN
 // Thanks so much, Microsoft! :(
 #ifdef CreateEvent
 #undef CreateEvent
 #endif
@@ -1458,24 +1459,27 @@ nsObjectLoadingContent::CheckLoadPolicy(
   nsCOMPtr<nsIContent> thisContent =
     do_QueryInterface(static_cast<nsIImageLoadingContent*>(this));
   NS_ASSERTION(thisContent, "Must be an instance of content");
 
   nsIDocument* doc = thisContent->OwnerDoc();
 
   nsContentPolicyType contentPolicyType = GetContentPolicyType();
 
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new LoadInfo(doc->NodePrincipal(), // loading principal
+                 doc->NodePrincipal(), // triggering principal
+                 thisContent,
+                 nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                 contentPolicyType);
+
   *aContentPolicy = nsIContentPolicy::ACCEPT;
-  nsresult rv = NS_CheckContentLoadPolicy(contentPolicyType,
-                                          mURI,
-                                          doc->NodePrincipal(), // loading principal
-                                          doc->NodePrincipal(), // triggering principal
-                                          thisContent,
+  nsresult rv = NS_CheckContentLoadPolicy(mURI,
+                                          secCheckLoadInfo,
                                           mContentType,
-                                          nullptr, //extra
                                           aContentPolicy,
                                           nsContentUtils::GetContentPolicy());
   NS_ENSURE_SUCCESS(rv, false);
   if (NS_CP_REJECTED(*aContentPolicy)) {
     LOG(("OBJLC [%p]: Content policy denied load of %s",
          this, mURI->GetSpecOrDefault().get()));
     return false;
   }
@@ -1511,25 +1515,28 @@ nsObjectLoadingContent::CheckProcessPoli
     case eType_Plugin:
       objectType = GetContentPolicyType();
       break;
     default:
       NS_NOTREACHED("Calling checkProcessPolicy with a unloadable type");
       return false;
   }
 
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new LoadInfo(doc->NodePrincipal(), // loading principal
+                 doc->NodePrincipal(), // triggering principal
+                 thisContent,
+                 nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                 objectType);
+
   *aContentPolicy = nsIContentPolicy::ACCEPT;
   nsresult rv =
-    NS_CheckContentProcessPolicy(objectType,
-                                 mURI ? mURI : mBaseURI,
-                                 doc->NodePrincipal(), // loading principal
-                                 doc->NodePrincipal(), // triggering principal
-                                 static_cast<nsIImageLoadingContent*>(this),
+    NS_CheckContentProcessPolicy(mURI ? mURI : mBaseURI,
+                                 secCheckLoadInfo,
                                  mContentType,
-                                 nullptr, //extra
                                  aContentPolicy,
                                  nsContentUtils::GetContentPolicy());
   NS_ENSURE_SUCCESS(rv, false);
 
   if (NS_CP_REJECTED(*aContentPolicy)) {
     LOG(("OBJLC [%p]: CheckContentProcessPolicy rejected load", this));
     return false;
   }
--- a/dom/html/ImageDocument.cpp
+++ b/dom/html/ImageDocument.cpp
@@ -89,32 +89,40 @@ ImageListener::OnStartRequest(nsIRequest
 
   // Do a ShouldProcess check to see whether to keep loading the image.
   nsCOMPtr<nsIURI> channelURI;
   channel->GetURI(getter_AddRefs(channelURI));
 
   nsAutoCString mimeType;
   channel->GetContentType(mimeType);
 
-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  nsCOMPtr<nsIPrincipal> channelPrincipal;
-  if (secMan) {
-    secMan->GetChannelResultPrincipal(channel, getter_AddRefs(channelPrincipal));
+  nsCOMPtr<nsILoadInfo> loadInfo = channel->GetLoadInfo();
+  // query the corresponding arguments for the channel loadinfo and pass
+  // it on to the temporary loadinfo used for content policy checks.
+  nsCOMPtr<nsINode> requestingNode = domWindow->GetFrameElementInternal();
+  nsCOMPtr<nsIPrincipal> loadingPrincipal;
+  if (requestingNode) {
+    loadingPrincipal = requestingNode->NodePrincipal();
+  }
+  else {
+    nsContentUtils::GetSecurityManager()->
+      GetChannelResultPrincipal(channel, getter_AddRefs(loadingPrincipal));
   }
 
-  nsCOMPtr<nsILoadInfo> loadInfo = channel->GetLoadInfo();
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new net::LoadInfo(loadingPrincipal,
+                      loadInfo ? loadInfo->TriggeringPrincipal() : nullptr,
+                      requestingNode,
+                      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                      nsIContentPolicy::TYPE_INTERNAL_IMAGE);
 
   int16_t decision = nsIContentPolicy::ACCEPT;
-  nsresult rv = NS_CheckContentProcessPolicy(nsIContentPolicy::TYPE_INTERNAL_IMAGE,
-                                             channelURI,
-                                             channelPrincipal,
-                                             loadInfo ? loadInfo->TriggeringPrincipal() : nullptr,
-                                             domWindow->GetFrameElementInternal(),
+  nsresult rv = NS_CheckContentProcessPolicy(channelURI,
+                                             secCheckLoadInfo,
                                              mimeType,
-                                             nullptr,
                                              &decision,
                                              nsContentUtils::GetContentPolicy());
 
   if (NS_FAILED(rv) || NS_CP_REJECTED(decision)) {
     request->Cancel(NS_ERROR_CONTENT_BLOCKED);
     return NS_OK;
   }
 
--- a/dom/plugins/base/nsPluginStreamListenerPeer.cpp
+++ b/dom/plugins/base/nsPluginStreamListenerPeer.cpp
@@ -168,36 +168,22 @@ nsPluginStreamListenerPeer::OnStartReque
   }
 
   nsAutoCString contentType;
   rv = channel->GetContentType(contentType);
   if (NS_FAILED(rv))
     return rv;
 
   // Check ShouldProcess with content policy
-  RefPtr<nsPluginInstanceOwner> owner;
-  if (mPluginInstance) {
-    owner = mPluginInstance->GetOwner();
-  }
-  nsCOMPtr<nsIDOMElement> element;
-  nsCOMPtr<nsIDocument> doc;
-  if (owner) {
-    owner->GetDOMElement(getter_AddRefs(element));
-    owner->GetDocument(getter_AddRefs(doc));
-  }
-  nsCOMPtr<nsIPrincipal> principal = doc ? doc->NodePrincipal() : nullptr;
+  nsCOMPtr<nsILoadInfo> loadInfo = channel->GetLoadInfo();
 
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-  rv = NS_CheckContentProcessPolicy(nsIContentPolicy::TYPE_OBJECT_SUBREQUEST,
-                                    mURL,
-                                    principal, // loading principal
-                                    principal, // triggering principal
-                                    element,
+  rv = NS_CheckContentProcessPolicy(mURL,
+                                    loadInfo,
                                     contentType,
-                                    nullptr,
                                     &shouldLoad);
   if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
     mRequestFailed = true;
     return NS_ERROR_CONTENT_BLOCKED;
   }
 
   // Get the notification callbacks from the channel and save it as
   // week ref we'll use it in nsPluginStreamInfo::RequestRead() when
--- a/dom/script/ScriptLoader.cpp
+++ b/dom/script/ScriptLoader.cpp
@@ -49,16 +49,17 @@
 #include "mozilla/Logging.h"
 #include "nsCRT.h"
 #include "nsContentCreatorFunctions.h"
 #include "nsProxyRelease.h"
 #include "nsSandboxFlags.h"
 #include "nsContentTypeParser.h"
 #include "nsINetworkPredictor.h"
 #include "mozilla/ConsoleReportCollector.h"
+#include "mozilla/LoadInfo.h"
 
 #include "mozilla/AsyncEventDispatcher.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/Unused.h"
 #include "nsIScriptError.h"
 #include "nsIOutputStream.h"
@@ -315,24 +316,27 @@ ScriptLoader::CheckContentPolicy(nsIDocu
                                  nsIURI* aURI,
                                  const nsAString& aType,
                                  bool aIsPreLoad)
 {
   nsContentPolicyType contentPolicyType = aIsPreLoad
                                           ? nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD
                                           : nsIContentPolicy::TYPE_INTERNAL_SCRIPT;
 
+  nsCOMPtr<nsINode> requestingNode = do_QueryInterface(aContext);
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new net::LoadInfo(aDocument->NodePrincipal(), // loading principal
+                      aDocument->NodePrincipal(), // triggering principal
+                      requestingNode,
+                      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                      contentPolicyType);
+
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-  nsresult rv = NS_CheckContentLoadPolicy(contentPolicyType,
-                                          aURI,
-                                          aDocument->NodePrincipal(), // loading principal
-                                          aDocument->NodePrincipal(), // triggering principal
-                                          aContext,
+  nsresult rv = NS_CheckContentLoadPolicy(aURI, secCheckLoadInfo,
                                           NS_LossyConvertUTF16toASCII(aType),
-                                          nullptr,    //extra
                                           &shouldLoad,
                                           nsContentUtils::GetContentPolicy());
   if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
     if (NS_FAILED(rv) || shouldLoad != nsIContentPolicy::REJECT_TYPE) {
       return NS_ERROR_CONTENT_BLOCKED;
     }
     return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
   }
--- a/dom/security/nsCSPService.cpp
+++ b/dom/security/nsCSPService.cpp
@@ -115,29 +115,34 @@ subjectToCSP(nsIURI* aURI, nsContentPoli
     return false;
   }
   // all other protocols are subject To CSP.
   return true;
 }
 
 /* nsIContentPolicy implementation */
 NS_IMETHODIMP
-CSPService::ShouldLoad(uint32_t aContentType,
-                       nsIURI *aContentLocation,
-                       nsIURI *aRequestOrigin,
-                       nsISupports *aRequestContext,
+CSPService::ShouldLoad(nsIURI *aContentLocation,
+                       nsILoadInfo* aLoadInfo,
                        const nsACString &aMimeTypeGuess,
-                       nsISupports *aExtra,
-                       nsIPrincipal *aRequestPrincipal,
                        int16_t *aDecision)
 {
   if (!aContentLocation) {
     return NS_ERROR_FAILURE;
   }
 
+  uint32_t aContentType = aLoadInfo->InternalContentPolicyType();
+  nsCOMPtr<nsISupports> aRequestContext = aLoadInfo->GetLoadingContext();
+  nsCOMPtr<nsIPrincipal> aRequestPrincipal = aLoadInfo->TriggeringPrincipal();
+  nsCOMPtr<nsIURI> aRequestOrigin;
+  nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->LoadingPrincipal();
+  if (loadingPrincipal) {
+    loadingPrincipal->GetURI(getter_AddRefs(aRequestOrigin));
+  }
+
   if (MOZ_LOG_TEST(gCspPRLog, LogLevel::Debug)) {
     MOZ_LOG(gCspPRLog, LogLevel::Debug,
            ("CSPService::ShouldLoad called for %s",
            aContentLocation->GetSpecOrDefault().get()));
   }
 
   // default decision, CSP can revise it if there's a policy to enforce
   *aDecision = nsIContentPolicy::ACCEPT;
@@ -213,28 +218,25 @@ CSPService::ShouldLoad(uint32_t aContent
                          nullptr,
                          aDecision);
     NS_ENSURE_SUCCESS(rv, rv);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
-CSPService::ShouldProcess(uint32_t         aContentType,
-                          nsIURI           *aContentLocation,
-                          nsIURI           *aRequestOrigin,
-                          nsISupports      *aRequestContext,
+CSPService::ShouldProcess(nsIURI           *aContentLocation,
+                          nsILoadInfo*     aLoadInfo,
                           const nsACString &aMimeTypeGuess,
-                          nsISupports      *aExtra,
-                          nsIPrincipal     *aRequestPrincipal,
                           int16_t          *aDecision)
 {
   if (!aContentLocation) {
     return NS_ERROR_FAILURE;
   }
+  uint32_t aContentType = aLoadInfo->InternalContentPolicyType();
 
   if (MOZ_LOG_TEST(gCspPRLog, LogLevel::Debug)) {
     MOZ_LOG(gCspPRLog, LogLevel::Debug,
             ("CSPService::ShouldProcess called for %s",
             aContentLocation->GetSpecOrDefault().get()));
   }
 
   // ShouldProcess is only relevant to TYPE_OBJECT, so let's convert the
@@ -245,23 +247,19 @@ CSPService::ShouldProcess(uint32_t      
   uint32_t policyType =
     nsContentUtils::InternalContentPolicyTypeToExternal(aContentType);
 
   if (policyType != nsIContentPolicy::TYPE_OBJECT) {
     *aDecision = nsIContentPolicy::ACCEPT;
     return NS_OK;
   }
 
-  return ShouldLoad(aContentType,
-                    aContentLocation,
-                    aRequestOrigin,
-                    aRequestContext,
+  return ShouldLoad(aContentLocation,
+                    aLoadInfo,
                     aMimeTypeGuess,
-                    aExtra,
-                    aRequestPrincipal,
                     aDecision);
 }
 
 /* nsIChannelEventSink implementation */
 NS_IMETHODIMP
 CSPService::AsyncOnChannelRedirect(nsIChannel *oldChannel,
                                    nsIChannel *newChannel,
                                    uint32_t flags,
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -159,16 +159,20 @@ nsContentSecurityManager::AllowInsecureR
   return false;
 }
 
 static nsresult
 ValidateSecurityFlags(nsILoadInfo* aLoadInfo)
 {
   nsSecurityFlags securityMode = aLoadInfo->GetSecurityMode();
 
+  // We should never perform a security check on a loadInfo that uses the flag
+  // SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, because that is only used for temporary
+  // loadInfos used for explicit nsIContentPolicy checks, but never be set as
+  // a security flag on an actual channel.
   if (securityMode != nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS &&
       securityMode != nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED &&
       securityMode != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS &&
       securityMode != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL &&
       securityMode != nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS) {
     MOZ_ASSERT(false, "need one securityflag from nsILoadInfo to perform security checks");
     return NS_ERROR_FAILURE;
   }
@@ -301,17 +305,16 @@ DoCORSChecks(nsIChannel* aChannel, nsILo
 static nsresult
 DoContentSecurityChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo)
 {
   nsContentPolicyType contentPolicyType =
     aLoadInfo->GetExternalContentPolicyType();
   nsContentPolicyType internalContentPolicyType =
     aLoadInfo->InternalContentPolicyType();
   nsCString mimeTypeGuess;
-  nsCOMPtr<nsISupports> requestingContext = nullptr;
 
   nsCOMPtr<nsIURI> uri;
   nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT ||
       contentPolicyType == nsIContentPolicy::TYPE_SUBDOCUMENT) {
     // TYPE_DOCUMENT and TYPE_SUBDOCUMENT loads might potentially
@@ -325,79 +328,69 @@ DoContentSecurityChecks(nsIChannel* aCha
         uri = fixedURI;
       }
     }
   }
 
   switch(contentPolicyType) {
     case nsIContentPolicy::TYPE_OTHER: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_SCRIPT: {
       mimeTypeGuess = NS_LITERAL_CSTRING("application/javascript");
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_IMAGE: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_STYLESHEET: {
       mimeTypeGuess = NS_LITERAL_CSTRING("text/css");
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_OBJECT: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_DOCUMENT: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->ContextForTopLevelLoad();
       break;
     }
 
     case nsIContentPolicy::TYPE_SUBDOCUMENT: {
       mimeTypeGuess = NS_LITERAL_CSTRING("text/html");
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_REFRESH: {
       MOZ_ASSERT(false, "contentPolicyType not supported yet");
       break;
     }
 
     case nsIContentPolicy::TYPE_XBL: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_PING: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_XMLHTTPREQUEST: {
       // alias nsIContentPolicy::TYPE_DATAREQUEST:
-      requestingContext = aLoadInfo->LoadingNode();
 #ifdef DEBUG
       {
-        nsCOMPtr<nsINode> node = do_QueryInterface(requestingContext);
+        nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
         MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE,
                    "type_xml requires requestingContext of type Document");
       }
 #endif
       // We're checking for the external TYPE_XMLHTTPREQUEST here in case
       // an addon creates a request with that type.
       if (internalContentPolicyType ==
             nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST ||
@@ -411,57 +404,53 @@ DoContentSecurityChecks(nsIChannel* aCha
                    "can not set mime type guess for unexpected internal type");
         mimeTypeGuess = NS_LITERAL_CSTRING(TEXT_EVENT_STREAM);
       }
       break;
     }
 
     case nsIContentPolicy::TYPE_OBJECT_SUBREQUEST: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
 #ifdef DEBUG
       {
-        nsCOMPtr<nsINode> node = do_QueryInterface(requestingContext);
+        nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
         MOZ_ASSERT(!node || node->NodeType() == nsINode::ELEMENT_NODE,
                    "type_subrequest requires requestingContext of type Element");
       }
 #endif
       break;
     }
 
     case nsIContentPolicy::TYPE_DTD: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
 #ifdef DEBUG
       {
-        nsCOMPtr<nsINode> node = do_QueryInterface(requestingContext);
+        nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
         MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE,
                    "type_dtd requires requestingContext of type Document");
       }
 #endif
       break;
     }
 
     case nsIContentPolicy::TYPE_FONT: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_MEDIA: {
       if (internalContentPolicyType == nsIContentPolicy::TYPE_INTERNAL_TRACK) {
         mimeTypeGuess = NS_LITERAL_CSTRING("text/vtt");
       }
       else {
         mimeTypeGuess = EmptyCString();
       }
-      requestingContext = aLoadInfo->LoadingNode();
 #ifdef DEBUG
       {
-        nsCOMPtr<nsINode> node = do_QueryInterface(requestingContext);
+        nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
         MOZ_ASSERT(!node || node->NodeType() == nsINode::ELEMENT_NODE,
                    "type_media requires requestingContext of type Element");
       }
 #endif
       break;
     }
 
     case nsIContentPolicy::TYPE_WEBSOCKET: {
@@ -470,89 +459,77 @@ DoContentSecurityChecks(nsIChannel* aCha
       nsCOMPtr<nsIHttpChannelInternal> httpChannelInternal
         = do_QueryInterface(aChannel);
       MOZ_ASSERT(httpChannelInternal);
       if (httpChannelInternal) {
         rv = httpChannelInternal->GetProxyURI(getter_AddRefs(uri));
         MOZ_ASSERT(NS_SUCCEEDED(rv));
       }
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_CSP_REPORT: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_XSLT: {
       mimeTypeGuess = NS_LITERAL_CSTRING("application/xml");
-      requestingContext = aLoadInfo->LoadingNode();
 #ifdef DEBUG
       {
-        nsCOMPtr<nsINode> node = do_QueryInterface(requestingContext);
+        nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
         MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE,
                    "type_xslt requires requestingContext of type Document");
       }
 #endif
       break;
     }
 
     case nsIContentPolicy::TYPE_BEACON: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
 #ifdef DEBUG
       {
-        nsCOMPtr<nsINode> node = do_QueryInterface(requestingContext);
+        nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
         MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE,
                    "type_beacon requires requestingContext of type Document");
       }
 #endif
       break;
     }
 
     case nsIContentPolicy::TYPE_FETCH: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_IMAGESET: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_WEB_MANIFEST: {
       mimeTypeGuess = NS_LITERAL_CSTRING("application/manifest+json");
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     case nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD: {
       mimeTypeGuess = EmptyCString();
-      requestingContext = aLoadInfo->LoadingNode();
       break;
     }
 
     default:
       // nsIContentPolicy::TYPE_INVALID
       MOZ_ASSERT(false, "can not perform security check without a valid contentType");
   }
 
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-  rv = NS_CheckContentLoadPolicy(internalContentPolicyType,
-                                 uri,
-                                 aLoadInfo->LoadingPrincipal(),
-                                 aLoadInfo->TriggeringPrincipal(),
-                                 requestingContext,
+  rv = NS_CheckContentLoadPolicy(uri,
+                                 aLoadInfo,
                                  mimeTypeGuess,
-                                 nullptr,        //extra,
                                  &shouldLoad,
                                  nsContentUtils::GetContentPolicy());
 
   if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
     if ((NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) &&
         (contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT ||
          contentPolicyType == nsIContentPolicy::TYPE_SUBDOCUMENT)) {
       // for docshell loads we might have to return SHOW_ALT.
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@@ -310,44 +310,33 @@ nsMixedContentBlocker::AsyncOnChannelRed
     // If an addon creates a channel, they may not set loadinfo. If that
     // channel redirects from one page to another page, we would get caught
     // in this code path. Hence, we have to return NS_OK. Once we have more
     // confidence that all channels have loadinfo, we can change this to
     // a failure. See bug 1077201.
     return NS_OK;
   }
 
-  nsContentPolicyType contentPolicyType = loadInfo->InternalContentPolicyType();
   nsCOMPtr<nsIPrincipal> requestingPrincipal = loadInfo->LoadingPrincipal();
 
   // Since we are calling shouldLoad() directly on redirects, we don't go through the code
   // in nsContentPolicyUtils::NS_CheckContentLoadPolicy(). Hence, we have to
   // duplicate parts of it here.
-  nsCOMPtr<nsIURI> requestingLocation;
   if (requestingPrincipal) {
     // We check to see if the loadingPrincipal is systemPrincipal and return
     // early if it is
     if (nsContentUtils::IsSystemPrincipal(requestingPrincipal)) {
       return NS_OK;
     }
-    // We set the requestingLocation from the RequestingPrincipal.
-    rv = requestingPrincipal->GetURI(getter_AddRefs(requestingLocation));
-    NS_ENSURE_SUCCESS(rv, rv);
   }
 
-  nsCOMPtr<nsISupports> requestingContext = loadInfo->LoadingNode();
-
   int16_t decision = REJECT_REQUEST;
-  rv = ShouldLoad(contentPolicyType,
-                  newUri,
-                  requestingLocation,
-                  requestingContext,
-                  EmptyCString(),       // aMimeGuess
-                  nullptr,              // aExtra
-                  requestingPrincipal,
+  rv = ShouldLoad(newUri,
+                  loadInfo,
+                  EmptyCString(), // aMimeGuess
                   &decision);
   if (NS_FAILED(rv)) {
     autoCallback.DontCallback();
     aOldChannel->Cancel(NS_ERROR_DOM_BAD_URI);
     return NS_BINDING_FAILED;
   }
 
   // If the channel is about to load mixed content, abort the channel
@@ -360,36 +349,41 @@ nsMixedContentBlocker::AsyncOnChannelRed
   return NS_OK;
 }
 
 /* This version of ShouldLoad() is non-static and called by the Content Policy
  * API and AsyncOnChannelRedirect().  See nsIContentPolicy::ShouldLoad()
  * for detailed description of the parameters.
  */
 NS_IMETHODIMP
-nsMixedContentBlocker::ShouldLoad(uint32_t aContentType,
-                                  nsIURI* aContentLocation,
-                                  nsIURI* aRequestingLocation,
-                                  nsISupports* aRequestingContext,
+nsMixedContentBlocker::ShouldLoad(nsIURI* aContentLocation,
+                                  nsILoadInfo* aLoadInfo,
                                   const nsACString& aMimeGuess,
-                                  nsISupports* aExtra,
-                                  nsIPrincipal* aRequestPrincipal,
                                   int16_t* aDecision)
 {
+  uint32_t aContentType = aLoadInfo->InternalContentPolicyType();
+  nsCOMPtr<nsISupports> aRequestingContext = aLoadInfo->GetLoadingContext();
+  nsCOMPtr<nsIPrincipal> aRequestPrincipal = aLoadInfo->TriggeringPrincipal();
+  nsCOMPtr<nsIURI> aRequestingLocation;
+  nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->LoadingPrincipal();
+  if (loadingPrincipal) {
+    loadingPrincipal->GetURI(getter_AddRefs(aRequestingLocation));
+  }
+
   // We pass in false as the first parameter to ShouldLoad(), because the
   // callers of this method don't know whether the load went through cached
   // image redirects.  This is handled by direct callers of the static
   // ShouldLoad.
   nsresult rv = ShouldLoad(false,   // aHadInsecureImageRedirect
                            aContentType,
                            aContentLocation,
                            aRequestingLocation,
                            aRequestingContext,
                            aMimeGuess,
-                           aExtra,
+                           nullptr, // aExtra,
                            aRequestPrincipal,
                            aDecision);
   return rv;
 }
 
 bool
 nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL) {
   nsAutoCString host;
@@ -1055,41 +1049,35 @@ nsMixedContentBlocker::ShouldLoad(bool a
     nsContentUtils::AddScriptRunner(
       new nsMixedContentEvent(aRequestingContext, classification, rootHasSecureConnection));
     *aDecision = ACCEPT;
     return NS_OK;
   }
 }
 
 NS_IMETHODIMP
-nsMixedContentBlocker::ShouldProcess(uint32_t aContentType,
-                                     nsIURI* aContentLocation,
-                                     nsIURI* aRequestingLocation,
-                                     nsISupports* aRequestingContext,
+nsMixedContentBlocker::ShouldProcess(nsIURI* aContentLocation,
+                                     nsILoadInfo* aLoadInfo,
                                      const nsACString& aMimeGuess,
-                                     nsISupports* aExtra,
-                                     nsIPrincipal* aRequestPrincipal,
                                      int16_t* aDecision)
 {
-  aContentType = nsContentUtils::InternalContentPolicyTypeToExternal(aContentType);
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
 
   if (!aContentLocation) {
     // aContentLocation may be null when a plugin is loading without an associated URI resource
     if (aContentType == TYPE_OBJECT) {
        *aDecision = ACCEPT;
        return NS_OK;
     } else {
        *aDecision = REJECT_REQUEST;
        return NS_ERROR_FAILURE;
     }
   }
 
-  return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,
-                    aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,
-                    aDecision);
+  return ShouldLoad(aContentLocation, aLoadInfo, aMimeGuess, aDecision);
 }
 
 // Record information on when HSTS would have made mixed content not mixed
 // content (regardless of whether it was actually blocked)
 void
 nsMixedContentBlocker::AccumulateMixedContentHSTS(
   nsIURI* aURI, bool aActive, const OriginAttributes& aOriginAttributes)
 {
--- a/dom/serviceworkers/ServiceWorkerEvents.cpp
+++ b/dom/serviceworkers/ServiceWorkerEvents.cpp
@@ -392,21 +392,17 @@ public:
     nsCString url = mInternalResponse->GetUnfilteredURL();
     if (url.IsEmpty()) {
       // Synthetic response. The buck stops at the worker script.
       url = mScriptSpec;
     }
     rv = NS_NewURI(getter_AddRefs(uri), url, nullptr, nullptr);
     NS_ENSURE_SUCCESS(rv, false);
     int16_t decision = nsIContentPolicy::ACCEPT;
-    rv = NS_CheckContentLoadPolicy(aLoadInfo->InternalContentPolicyType(), uri,
-                                   aLoadInfo->LoadingPrincipal(),
-                                   aLoadInfo->TriggeringPrincipal(),
-                                   aLoadInfo->LoadingNode(), EmptyCString(),
-                                   nullptr, &decision);
+    rv = NS_CheckContentLoadPolicy(uri, aLoadInfo, EmptyCString(), &decision);
     NS_ENSURE_SUCCESS(rv, false);
     return decision == nsIContentPolicy::ACCEPT;
   }
 };
 
 class RespondWithHandler final : public PromiseNativeHandler
 {
   nsMainThreadPtrHandle<nsIInterceptedChannel> mInterceptedChannel;
--- a/dom/serviceworkers/ServiceWorkerManager.cpp
+++ b/dom/serviceworkers/ServiceWorkerManager.cpp
@@ -850,25 +850,28 @@ ServiceWorkerManager::Register(mozIDOMWi
   nsCOMPtr<nsIPrincipal> documentPrincipal = doc->NodePrincipal();
 
   nsresult rv = documentPrincipal->CheckMayLoad(aScriptURI, true /* report */,
                                                 false /* allowIfInheritsPrincipal */);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return NS_ERROR_DOM_SECURITY_ERR;
   }
 
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new LoadInfo(documentPrincipal, // loading principal
+                 documentPrincipal, // triggering principal
+                 doc,
+                 nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                 nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER);
+
   // Check content policy.
   int16_t decision = nsIContentPolicy::ACCEPT;
-  rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER,
-                                 aScriptURI,
-                                 documentPrincipal, // loading principal
-                                 documentPrincipal, // triggering principal
-                                 doc,
+  rv = NS_CheckContentLoadPolicy(aScriptURI,
+                                 secCheckLoadInfo,
                                  EmptyCString(),
-                                 nullptr,
                                  &decision);
   NS_ENSURE_SUCCESS(rv, rv);
   if (NS_WARN_IF(decision != nsIContentPolicy::ACCEPT)) {
     return NS_ERROR_CONTENT_BLOCKED;
   }
 
 
   rv = documentPrincipal->CheckMayLoad(aScopeURI, true /* report */,
--- a/dom/websocket/WebSocket.cpp
+++ b/dom/websocket/WebSocket.cpp
@@ -18,16 +18,17 @@
 #include "mozilla/dom/nsCSPContext.h"
 #include "mozilla/dom/nsCSPUtils.h"
 #include "mozilla/dom/ScriptSettings.h"
 #include "mozilla/dom/WorkerPrivate.h"
 #include "mozilla/dom/WorkerRef.h"
 #include "mozilla/dom/WorkerRunnable.h"
 #include "mozilla/dom/WorkerScope.h"
 #include "nsAutoPtr.h"
+#include "mozilla/LoadInfo.h"
 #include "nsGlobalWindow.h"
 #include "nsIScriptGlobalObject.h"
 #include "nsIDOMWindow.h"
 #include "nsIDocument.h"
 #include "nsXPCOM.h"
 #include "nsIXPConnect.h"
 #include "nsContentUtils.h"
 #include "nsError.h"
@@ -1647,24 +1648,27 @@ WebSocketImpl::Init(JSContext* aCx,
     }
 
     // The 'real' nsHttpChannel of the websocket gets opened in the parent.
     // Since we don't serialize the CSP within child and parent and also not
     // the context, we have to perform content policy checks here instead of
     // AsyncOpen2().
     // Please note that websockets can't follow redirects, hence there is no
     // need to perform a CSP check after redirects.
+    nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+      new net::LoadInfo(aPrincipal, // loading principal
+                        aPrincipal, // triggering principal
+                        originDoc,
+                        nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                        nsIContentPolicy::TYPE_WEBSOCKET);
+
     int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-    rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_WEBSOCKET,
-                                   uri,
-                                   aPrincipal, // loading principal
-                                   aPrincipal, // triggering principal
-                                   originDoc,
+    rv = NS_CheckContentLoadPolicy(uri,
+                                   secCheckLoadInfo,
                                    EmptyCString(),
-                                   nullptr,
                                    &shouldLoad,
                                    nsContentUtils::GetContentPolicy());
     NS_ENSURE_SUCCESS(rv, rv);
 
     if (NS_CP_REJECTED(shouldLoad)) {
       // Disallowed by content policy
       return NS_ERROR_CONTENT_BLOCKED;
     }
--- a/dom/xml/nsXMLContentSink.cpp
+++ b/dom/xml/nsXMLContentSink.cpp
@@ -52,16 +52,17 @@
 #include "mozilla/dom/CDATASection.h"
 #include "mozilla/dom/Comment.h"
 #include "mozilla/dom/DocumentType.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/dom/HTMLTemplateElement.h"
 #include "mozilla/dom/ProcessingInstruction.h"
 #include "mozilla/dom/ScriptLoader.h"
 #include "mozilla/dom/txMozillaXSLTProcessor.h"
+#include "mozilla/LoadInfo.h"
 
 using namespace mozilla;
 using namespace mozilla::dom;
 
 // XXX Open Issues:
 // 1) what's not allowed - We need to figure out which HTML tags
 //    (prefixed with a HTML namespace qualifier) are explicitly not
 //    allowed (if any).
@@ -733,25 +734,28 @@ nsXMLContentSink::MaybeProcessXSLTLink(
 
   // Do security check
   nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
   rv = secMan->
     CheckLoadURIWithPrincipal(mDocument->NodePrincipal(), url,
                               nsIScriptSecurityManager::ALLOW_CHROME);
   NS_ENSURE_SUCCESS(rv, NS_OK);
 
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new net::LoadInfo(mDocument->NodePrincipal(), // loading principal
+                      mDocument->NodePrincipal(), // triggering principal
+                      aProcessingInstruction,
+                      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                      nsIContentPolicy::TYPE_XSLT);
+
   // Do content policy check
   int16_t decision = nsIContentPolicy::ACCEPT;
-  rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_XSLT,
-                                 url,
-                                 mDocument->NodePrincipal(), // loading principal
-                                 mDocument->NodePrincipal(), // triggering principal
-                                 ToSupports(aProcessingInstruction),
+  rv = NS_CheckContentLoadPolicy(url,
+                                 secCheckLoadInfo,
                                  NS_ConvertUTF16toUTF8(aType),
-                                 nullptr,
                                  &decision,
                                  nsContentUtils::GetContentPolicy());
 
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (NS_CP_REJECTED(decision)) {
     return NS_OK;
   }
--- a/extensions/permissions/nsContentBlocker.cpp
+++ b/extensions/permissions/nsContentBlocker.cpp
@@ -147,25 +147,28 @@ nsContentBlocker::PrefChanged(nsIPrefBra
         NS_SUCCEEDED(aPrefBranch->GetIntPref(kTypeString[i], &val)))
       mBehaviorPref[i] = LIMIT(val, 1, 3, 1);
   }
 
 }
 
 // nsIContentPolicy Implementation
 NS_IMETHODIMP
-nsContentBlocker::ShouldLoad(uint32_t          aContentType,
-                             nsIURI           *aContentLocation,
-                             nsIURI           *aRequestingLocation,
-                             nsISupports      *aRequestingContext,
+nsContentBlocker::ShouldLoad(nsIURI           *aContentLocation,
+                             nsILoadInfo      *aLoadInfo,
                              const nsACString &aMimeGuess,
-                             nsISupports      *aExtra,
-                             nsIPrincipal     *aRequestPrincipal,
                              int16_t          *aDecision)
 {
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
+  nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->LoadingPrincipal();
+  nsCOMPtr<nsIURI> aRequestingLocation;
+  if (loadingPrincipal) {
+    loadingPrincipal->GetURI(getter_AddRefs(aRequestingLocation));
+  }
+
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
 
   *aDecision = nsIContentPolicy::ACCEPT;
   nsresult rv;
 
   // Ony support NUMBER_OF_TYPES content types. that all there is at the
   // moment, but you never know...
@@ -201,25 +204,29 @@ nsContentBlocker::ShouldLoad(uint32_t   
       *aDecision = nsIContentPolicy::REJECT_SERVER;
     }
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsContentBlocker::ShouldProcess(uint32_t          aContentType,
-                                nsIURI           *aContentLocation,
-                                nsIURI           *aRequestingLocation,
-                                nsISupports      *aRequestingContext,
+nsContentBlocker::ShouldProcess(nsIURI           *aContentLocation,
+                                nsILoadInfo      *aLoadInfo,
                                 const nsACString &aMimeGuess,
-                                nsISupports      *aExtra,
-                                nsIPrincipal     *aRequestPrincipal,
                                 int16_t          *aDecision)
 {
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
+  nsCOMPtr<nsISupports> aRequestingContext = aLoadInfo->GetLoadingContext();
+  nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->LoadingPrincipal();
+  nsCOMPtr<nsIURI> aRequestingLocation;
+  if (loadingPrincipal) {
+    loadingPrincipal->GetURI(getter_AddRefs(aRequestingLocation));
+  }
+
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
 
   // For loads where aRequestingContext is chrome, we should just
   // accept.  Those are most likely toplevel loads in windows, and
   // chrome generally knows what it's doing anyway.
   nsCOMPtr<nsIDocShellTreeItem> item =
     do_QueryInterface(NS_CP_GetDocShellFromContext(aRequestingContext));
@@ -249,19 +256,17 @@ nsContentBlocker::ShouldProcess(uint32_t
         *aDecision = nsIContentPolicy::REJECT_SERVER;
       }
     }
     return NS_OK;
   }
 
   // This isn't a load from chrome or an object tag - Just do a ShouldLoad()
   // check -- we want the same answer here
-  return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,
-                    aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,
-                    aDecision);
+  return ShouldLoad(aContentLocation, aLoadInfo, aMimeGuess, aDecision);
 }
 
 nsresult
 nsContentBlocker::TestPermission(nsIURI *aCurrentURI,
                                  nsIURI *aFirstURI,
                                  int32_t aContentType,
                                  bool *aPermission,
                                  bool *aFromPrefs)
--- a/image/imgLoader.cpp
+++ b/image/imgLoader.cpp
@@ -4,22 +4,24 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 // Undefine windows version of LoadImage because our code uses that name.
 #undef LoadImage
 
 #include "ImageLogging.h"
 #include "imgLoader.h"
+#include "NullPrincipal.h"
 
 #include "mozilla/Attributes.h"
 #include "mozilla/ClearOnShutdown.h"
 #include "mozilla/Move.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/ChaosMode.h"
+#include "mozilla/LoadInfo.h"
 
 #include "nsImageModule.h"
 #include "imgRequestProxy.h"
 
 #include "nsCOMPtr.h"
 
 #include "nsContentPolicyUtils.h"
 #include "nsContentUtils.h"
@@ -625,24 +627,38 @@ ShouldLoadCachedImage(imgRequest* aImgRe
    * of the intermediary hops went through an insecure redirect with the
    * mHadInsecureRedirect flag
    */
   bool insecureRedirect = aImgRequest->HadInsecureRedirect();
   nsCOMPtr<nsIURI> contentLocation;
   aImgRequest->GetFinalURI(getter_AddRefs(contentLocation));
   nsresult rv;
 
+  nsCOMPtr<nsINode> requestingNode = do_QueryInterface(aLoadingContext);
+  nsCOMPtr<nsIPrincipal> loadingPrincipal = requestingNode
+    ? requestingNode->NodePrincipal()
+    : aTriggeringPrincipal;
+  // If there is no context and also no triggeringPrincipal, then we use a fresh
+  // nullPrincipal as the loadingPrincipal because we can not create a loadinfo
+  // without a valid loadingPrincipal.
+  if (!loadingPrincipal) {
+    loadingPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
+  }
+
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new LoadInfo(loadingPrincipal,
+                 aTriggeringPrincipal,
+                 requestingNode,
+                 nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                 aPolicyType);
+
   int16_t decision = nsIContentPolicy::REJECT_REQUEST;
-  rv = NS_CheckContentLoadPolicy(aPolicyType,
-                                 contentLocation,
-                                 aTriggeringPrincipal, // loading principal
-                                 aTriggeringPrincipal,
-                                 aLoadingContext,
+  rv = NS_CheckContentLoadPolicy(contentLocation,
+                                 secCheckLoadInfo,
                                  EmptyCString(), //mime guess
-                                 nullptr, //aExtra
                                  &decision,
                                  nsContentUtils::GetContentPolicy());
   if (NS_FAILED(rv) || !NS_CP_ACCEPTED(decision)) {
     return false;
   }
 
   // We call all Content Policies above, but we also have to call mcb
   // individually to check the intermediary redirect hops are secure.
--- a/layout/style/FontFaceSet.cpp
+++ b/layout/style/FontFaceSet.cpp
@@ -19,16 +19,17 @@
 #include "mozilla/AsyncEventDispatcher.h"
 #include "mozilla/Logging.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/ServoCSSParser.h"
 #include "mozilla/ServoStyleSet.h"
 #include "mozilla/ServoUtils.h"
 #include "mozilla/Sprintf.h"
 #include "mozilla/Telemetry.h"
+#include "mozilla/LoadInfo.h"
 #include "nsAutoPtr.h"
 #include "nsContentPolicyUtils.h"
 #include "nsCSSParser.h"
 #include "nsDeviceContext.h"
 #include "nsFontFaceLoader.h"
 #include "nsIConsoleService.h"
 #include "nsIContentPolicy.h"
 #include "nsIContentSecurityPolicy.h"
@@ -1371,24 +1372,27 @@ bool
 FontFaceSet::IsFontLoadAllowed(nsIURI* aFontLocation,
                                nsIPrincipal* aPrincipal,
                                nsTArray<nsCOMPtr<nsIRunnable>>* aViolations)
 {
   if (aViolations) {
     mDocument->StartBufferingCSPViolations();
   }
 
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new net::LoadInfo(mDocument->NodePrincipal(), // loading principal
+                      aPrincipal, // triggering principal
+                      mDocument,
+                      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                      nsIContentPolicy::TYPE_FONT);
+
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-  nsresult rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_FONT,
-                                          aFontLocation,
-                                          aPrincipal, // loading principal
-                                          aPrincipal, // triggering principal
-                                          mDocument,
+  nsresult rv = NS_CheckContentLoadPolicy(aFontLocation,
+                                          secCheckLoadInfo,
                                           EmptyCString(), // mime type
-                                          nullptr, // aExtra
                                           &shouldLoad,
                                           nsContentUtils::GetContentPolicy());
 
   if (aViolations) {
     mDocument->StopBufferingCSPViolations(*aViolations);
   }
 
   return NS_SUCCEEDED(rv) && NS_CP_ACCEPTED(shouldLoad);
--- a/layout/style/Loader.cpp
+++ b/layout/style/Loader.cpp
@@ -852,24 +852,28 @@ Loader::CheckContentPolicy(nsIPrincipal*
   if (!aLoadingPrincipal) {
     return NS_OK;
   }
 
   nsContentPolicyType contentPolicyType =
     aIsPreload ? nsIContentPolicy::TYPE_INTERNAL_STYLESHEET_PRELOAD
                : nsIContentPolicy::TYPE_INTERNAL_STYLESHEET;
 
+  nsCOMPtr<nsINode> requestingNode = do_QueryInterface(aContext);
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
+    new net::LoadInfo(aLoadingPrincipal,
+                      aTriggeringPrincipal,
+                      requestingNode,
+                      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                      contentPolicyType);
+
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-  nsresult rv = NS_CheckContentLoadPolicy(contentPolicyType,
-                                          aTargetURI,
-                                          aLoadingPrincipal,
-                                          aTriggeringPrincipal,
-                                          aContext,
+  nsresult rv = NS_CheckContentLoadPolicy(aTargetURI,
+                                          secCheckLoadInfo,
                                           NS_LITERAL_CSTRING("text/css"),
-                                          nullptr,  //extra param
                                           &shouldLoad,
                                           nsContentUtils::GetContentPolicy());
    if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
      return NS_ERROR_CONTENT_BLOCKED;
    }
    return NS_OK;
 }
 
--- a/mobile/android/components/ImageBlockingPolicy.js
+++ b/mobile/android/components/ImageBlockingPolicy.js
@@ -40,17 +40,20 @@ function ImageBlockingPolicy() {
 ImageBlockingPolicy.prototype = {
   QueryInterface: XPCOMUtils.generateQI([Ci.nsIContentPolicy, Ci.nsIObserver]),
   classDescription: "Click-To-Play Image",
   classID: Components.ID("{f55f77f9-d33d-4759-82fc-60db3ee0bb91}"),
   contractID: "@mozilla.org/browser/blockimages-policy;1",
   xpcom_categories: [{category: "content-policy", service: true}],
 
   // nsIContentPolicy interface implementation
-  shouldLoad: function(contentType, contentLocation, requestOrigin, node, mimeTypeGuess, extra) {
+  shouldLoad: function(contentLocation, loadInfo, mimeTypeGuess) {
+    let contentType = loadInfo.externalContentPolicyType;
+    let node = loadInfo.loadingContext;
+
     // When enabled or when on cellular, and option for cellular-only is selected
     if (this._enabled() == OPTION_NEVER || (this._enabled() == OPTION_WIFI_ONLY && this._usingCellular())) {
       if (contentType === Ci.nsIContentPolicy.TYPE_IMAGE || contentType === Ci.nsIContentPolicy.TYPE_IMAGESET) {
         // Accept any non-http(s) image URLs
         if (!contentLocation.schemeIs("http") && !contentLocation.schemeIs("https")) {
           return Ci.nsIContentPolicy.ACCEPT;
         }
 
@@ -76,17 +79,17 @@ ImageBlockingPolicy.prototype = {
         return Ci.nsIContentPolicy.REJECT;
       }
     }
 
     // Accept all other content types
     return Ci.nsIContentPolicy.ACCEPT;
   },
 
-  shouldProcess: function(contentType, contentLocation, requestOrigin, node, mimeTypeGuess, extra) {
+  shouldProcess: function(contentLocation, loadInfo, mimeTypeGuess) {
     return Ci.nsIContentPolicy.ACCEPT;
   },
 
   _usingCellular: function() {
     let network = Cc["@mozilla.org/network/network-link-service;1"].getService(Ci.nsINetworkLinkService);
     return !(network.linkType == Ci.nsINetworkLinkService.LINK_TYPE_UNKNOWN ||
         network.linkType == Ci.nsINetworkLinkService.LINK_TYPE_ETHERNET ||
         network.linkType == Ci.nsINetworkLinkService.LINK_TYPE_USB ||
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -96,17 +96,17 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadin
   // nsIOService and use the wrong constructor.  Don't enforce the
   // !TYPE_DOCUMENT check in those cases
   bool skipContentTypeCheck = false;
   skipContentTypeCheck = Preferences::GetBool("network.loadinfo.skip_type_assertion");
 #endif
 
   // This constructor shouldn't be used for TYPE_DOCUMENT loads that don't
   // have a loadingPrincipal
-  MOZ_ASSERT(skipContentTypeCheck ||
+  MOZ_ASSERT(skipContentTypeCheck || mLoadingPrincipal ||
              mInternalContentPolicyType != nsIContentPolicy::TYPE_DOCUMENT);
 
   // We should only get an explicit controller for subresource requests.
   MOZ_DIAGNOSTIC_ASSERT(
     aController.isNothing() ||
     !nsContentUtils::IsNonSubresourceInternalPolicyType(mInternalContentPolicyType));
 
   // TODO(bug 1259873): Above, we initialize mIsThirdPartyContext to false meaning
@@ -653,16 +653,37 @@ LoadInfo::ContextForTopLevelLoad()
   // Most likely you want to query LoadingNode() instead of
   // ContextForTopLevelLoad() if this assertion fires.
   MOZ_ASSERT(mInternalContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT,
             "should only query this context for top level document loads");
   nsCOMPtr<nsISupports> context = do_QueryReferent(mContextForTopLevelLoad);
   return context;
 }
 
+already_AddRefed<nsISupports>
+LoadInfo::GetLoadingContext()
+{
+  nsCOMPtr<nsISupports> context;
+  if (mInternalContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT) {
+    context = ContextForTopLevelLoad();
+  }
+  else {
+    context = LoadingNode();
+  }
+  return context.forget();
+}
+
+NS_IMETHODIMP
+LoadInfo::GetLoadingContextXPCOM(nsISupports** aResult)
+{
+  nsCOMPtr<nsISupports> context = GetLoadingContext();
+  context.forget(aResult);
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 LoadInfo::GetSecurityFlags(nsSecurityFlags* aResult)
 {
   *aResult = mSecurityFlags;
   return NS_OK;
 }
 
 NS_IMETHODIMP
--- a/netwerk/base/nsILoadInfo.idl
+++ b/netwerk/base/nsILoadInfo.idl
@@ -8,16 +8,17 @@
 #include "nsIContentPolicy.idl"
 
 interface nsIChannel;
 interface nsIDOMDocument;
 interface nsINode;
 interface nsIPrincipal;
 interface nsIRedirectHistoryEntry;
 interface nsIURI;
+native LoadContextRef(already_AddRefed<nsISupports>);
 %{C++
 #include "nsTArray.h"
 #include "mozilla/BasePrincipal.h"
 #include "mozilla/LoadTainting.h"
 #include "mozilla/UniquePtr.h"
 #include "nsStringFwd.h"
 
 namespace mozilla {
@@ -69,16 +70,26 @@ interface nsILoadInfo : nsISupports
    *    * SEC_REQUIRE_CORS_DATA_INHERITS
    *
    * Exactly one of these flags are required to be set in order to allow
    * the channel to perform the correct security checks (SOP, CORS, ...) and
    * return the correct result principal. If none or more than one of these
    * flags are set AsyncOpen2 will fail.
    */
 
+   /**
+    * Warning: Never use this flag when creating a new channel!
+    * Only use this flag if you have to create a temporary LoadInfo
+    * for performing an explicit nsIContentPolicy check, like e.g.
+    * when loading something from the cache that needs an explicit
+    * nsIContentPolicy check. In all other cases pick one of the
+    * security flags underneath.
+    */
+  const unsigned long SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK = 0;
+
   /*
    * Enforce the same origin policy where data: loads inherit the principal.
    * See the documentation for principalToInherit, which describes exactly what
    * principal is inherited.
    */
   const unsigned long SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS = (1<<0);
 
   /*
@@ -356,16 +367,31 @@ interface nsILoadInfo : nsISupports
    * and not this context only available for TYPE_DOCUMENT loads.
    * Please note that except for loads of TYPE_DOCUMENT, this
    * ContextForTopLevelLoad will always return null.
    */
   [noscript, notxpcom, nostdcall, binaryname(ContextForTopLevelLoad)]
   nsISupports binaryContextForTopLevelLoad();
 
   /**
+   * For all loads except loads of TYPE_DOCUMENT, the loadingContext
+   * simply returns the loadingNode. For loads of TYPE_DOCUMENT this
+   * will return the context available for top-level loads which
+   * do not have a loadingNode.
+   */
+  [binaryname(LoadingContextXPCOM)]
+  readonly attribute nsISupports loadingContext;
+  
+  /**
+   * A C++ friendly version of the loadingContext.
+   */
+  [noscript, notxpcom, nostdcall, binaryname(GetLoadingContext)]
+  LoadContextRef binaryGetLoadingContext();
+
+  /**
    * The securityFlags of that channel.
    */
   readonly attribute nsSecurityFlags securityFlags;
 
 %{ C++
   inline nsSecurityFlags GetSecurityFlags()
   {
     nsSecurityFlags result;
--- a/toolkit/components/browser/nsWebBrowserContentPolicy.cpp
+++ b/toolkit/components/browser/nsWebBrowserContentPolicy.cpp
@@ -16,27 +16,26 @@ nsWebBrowserContentPolicy::nsWebBrowserC
 
 nsWebBrowserContentPolicy::~nsWebBrowserContentPolicy()
 {
 }
 
 NS_IMPL_ISUPPORTS(nsWebBrowserContentPolicy, nsIContentPolicy)
 
 NS_IMETHODIMP
-nsWebBrowserContentPolicy::ShouldLoad(uint32_t aContentType,
-                                      nsIURI* aContentLocation,
-                                      nsIURI* aRequestingLocation,
-                                      nsISupports* aRequestingContext,
+nsWebBrowserContentPolicy::ShouldLoad(nsIURI* aContentLocation,
+                                      nsILoadInfo* aLoadInfo,
                                       const nsACString& aMimeGuess,
-                                      nsISupports* aExtra,
-                                      nsIPrincipal* aRequestPrincipal,
                                       int16_t* aShouldLoad)
 {
   NS_PRECONDITION(aShouldLoad, "Null out param");
 
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
+  nsCOMPtr<nsISupports> aRequestingContext = aLoadInfo->GetLoadingContext();
+
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
 
   *aShouldLoad = nsIContentPolicy::ACCEPT;
 
   nsIDocShell* shell = NS_CP_GetDocShellFromContext(aRequestingContext);
   /* We're going to dereference shell, so make sure it isn't null */
   if (!shell) {
@@ -69,27 +68,26 @@ nsWebBrowserContentPolicy::ShouldLoad(ui
 
   if (NS_SUCCEEDED(rv) && !allowed) {
     *aShouldLoad = nsIContentPolicy::REJECT_TYPE;
   }
   return rv;
 }
 
 NS_IMETHODIMP
-nsWebBrowserContentPolicy::ShouldProcess(uint32_t aContentType,
-                                         nsIURI* aContentLocation,
-                                         nsIURI* aRequestingLocation,
-                                         nsISupports* aRequestingContext,
+nsWebBrowserContentPolicy::ShouldProcess(nsIURI* aContentLocation,
+                                         nsILoadInfo* aLoadInfo,
                                          const nsACString& aMimeGuess,
-                                         nsISupports* aExtra,
-                                         nsIPrincipal* aRequestPrincipal,
                                          int16_t* aShouldProcess)
 {
   NS_PRECONDITION(aShouldProcess, "Null out param");
 
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
+  nsCOMPtr<nsISupports> aRequestingContext = aLoadInfo->GetLoadingContext();
+
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
 
   *aShouldProcess = nsIContentPolicy::ACCEPT;
 
   // Object tags will always open channels with TYPE_OBJECT, but may end up
   // loading with TYPE_IMAGE or TYPE_DOCUMENT as their final type, so we block
   // actual-plugins at the process stage
--- a/toolkit/modules/addons/WebRequestContent.js
+++ b/toolkit/modules/addons/WebRequestContent.js
@@ -71,18 +71,26 @@ var ContentPolicy = {
     catMan.addCategoryEntry("content-policy", this._contractID, this._contractID, false, true);
   },
 
   unregister() {
     let catMan = Cc["@mozilla.org/categorymanager;1"].getService(Ci.nsICategoryManager);
     catMan.deleteCategoryEntry("content-policy", this._contractID, false);
   },
 
-  shouldLoad(policyType, contentLocation, requestOrigin,
-             node, mimeTypeGuess, extra, requestPrincipal) {
+  shouldLoad(contentLocation, loadInfo, mimeTypeGuess) {
+    let policyType = loadInfo.externalContentPolicyType;
+    let node = loadInfo.loadingContext;
+    let loadingPrincipal = loadInfo.loadingPrincipal;
+    let requestPrincipal = loadInfo.triggeringPrincipal;
+    let requestOrigin = null;
+    if (loadingPrincipal) {
+      requestOrigin = loadingPrincipal.URI;
+    }
+
     // Loads of TYPE_DOCUMENT and TYPE_SUBDOCUMENT perform a ConPol check
     // within docshell as well as within the ContentSecurityManager. To avoid
     // duplicate evaluations we ignore ConPol checks performed within docShell.
     if (extra instanceof Ci.nsISupportsString) {
       if (extra.data === "conPolCheckFromDocShell") {
         return Ci.nsIContentPolicy.ACCEPT;
       }
     }
@@ -187,17 +195,17 @@ var ContentPolicy = {
     if (requestPrincipal && requestPrincipal.URI) {
       data.originUrl = requestPrincipal.URI.spec;
     }
     mm.sendAsyncMessage("WebRequest:ShouldLoad", data);
 
     return Ci.nsIContentPolicy.ACCEPT;
   },
 
-  shouldProcess: function(contentType, contentLocation, requestOrigin, insecNode, mimeType, extra) {
+  shouldProcess: function(contentLocation, loadInfo, mimeType) {
     return Ci.nsIContentPolicy.ACCEPT;
   },
 
   createInstance: function(outer, iid) {
     if (outer) {
       throw Cr.NS_ERROR_NO_AGGREGATION;
     }
     return this.QueryInterface(iid);
--- a/toolkit/mozapps/extensions/AddonContentPolicy.cpp
+++ b/toolkit/mozapps/extensions/AddonContentPolicy.cpp
@@ -87,25 +87,29 @@ LogMessage(const nsAString &aMessage, ns
   console->LogMessage(error);
   return NS_OK;
 }
 
 
 // Content policy enforcement:
 
 NS_IMETHODIMP
-AddonContentPolicy::ShouldLoad(uint32_t aContentType,
-                               nsIURI* aContentLocation,
-                               nsIURI* aRequestOrigin,
-                               nsISupports* aContext,
+AddonContentPolicy::ShouldLoad(nsIURI* aContentLocation,
+                               nsILoadInfo* aLoadInfo,
                                const nsACString& aMimeTypeGuess,
-                               nsISupports* aExtra,
-                               nsIPrincipal* aRequestPrincipal,
                                int16_t* aShouldLoad)
 {
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
+  nsCOMPtr<nsISupports> aContext = aLoadInfo->GetLoadingContext();
+  nsCOMPtr<nsIURI> aRequestOrigin;
+  nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->LoadingPrincipal();
+  if (loadingPrincipal) {
+    loadingPrincipal->GetURI(getter_AddRefs(aRequestOrigin));
+  }
+
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
 
   *aShouldLoad = nsIContentPolicy::ACCEPT;
 
   if (!aRequestOrigin) {
     return NS_OK;
   }
@@ -134,27 +138,26 @@ AddonContentPolicy::ShouldLoad(uint32_t 
       return NS_OK;
     }
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
-AddonContentPolicy::ShouldProcess(uint32_t aContentType,
-                                  nsIURI* aContentLocation,
-                                  nsIURI* aRequestOrigin,
-                                  nsISupports* aRequestingContext,
+AddonContentPolicy::ShouldProcess(nsIURI* aContentLocation,
+                                  nsILoadInfo* aLoadInfo,
                                   const nsACString& aMimeTypeGuess,
-                                  nsISupports* aExtra,
-                                  nsIPrincipal* aRequestPrincipal,
                                   int16_t* aShouldProcess)
 {
+#ifdef DEBUG
+  uint32_t aContentType = aLoadInfo->GetExternalContentPolicyType();
   MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
              "We should only see external content policy types here.");
+#endif
 
   *aShouldProcess = nsIContentPolicy::ACCEPT;
   return NS_OK;
 }
 
 
 // CSP Validation: