Bug 1165272 - Part 1: Remove getAppCodebasePrincipal. r=bholley
authorYoshi Huang <allstars.chh@mozilla.com>
Mon, 24 Aug 2015 01:31:00 -0400
changeset 293316 8b37e978d6078937778b05febdb787d6313b1e2f
parent 293315 45d8e4586fbc80786f016cf834c0cd3bad3b424f
child 293317 8d116b0d696f461cd63840f1dd21430b47e740a5
push id962
push userjlund@mozilla.com
push dateFri, 04 Dec 2015 23:28:54 +0000
treeherdermozilla-release@23a2d286e80f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbholley
bugs1165272
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1165272 - Part 1: Remove getAppCodebasePrincipal. r=bholley
b2g/components/AboutServiceWorkers.jsm
b2g/components/ContentPermissionPrompt.js
caps/nsIScriptSecurityManager.idl
docshell/base/nsDocShell.cpp
dom/apps/AppsUtils.jsm
dom/apps/OfflineCacheInstaller.jsm
dom/apps/ScriptPreloader.jsm
dom/apps/Webapps.jsm
dom/base/nsGlobalWindow.cpp
dom/browser-element/BrowserElementParent.js
dom/browser-element/mochitest/browserElement_Auth.js
dom/datastore/DataStoreService.cpp
dom/indexedDB/ActorsParent.cpp
dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
dom/ipc/AppProcessChecker.cpp
dom/ipc/TabChild.cpp
dom/payment/Payment.jsm
dom/permission/PermissionSettings.js
dom/permission/PermissionSettings.jsm
dom/quota/QuotaManager.cpp
extensions/cookie/nsPermissionManager.cpp
extensions/cookie/test/test_app_uninstall_permissions.html
extensions/cookie/test/unit/test_permmanager_cleardata.js
extensions/cookie/test/unit/test_permmanager_defaults.js
extensions/cookie/test/unit/test_permmanager_matches.js
extensions/cookie/test/unit/test_permmanager_matchesuri.js
ipc/glue/BackgroundUtils.cpp
netwerk/cookie/CookieServiceParent.cpp
netwerk/protocol/http/HttpChannelParent.cpp
netwerk/test/unit/test_auth_jar.js
services/fxaccounts/tests/xpcshell/test_manager.js
services/mobileid/MobileIdentityManager.jsm
services/mobileid/tests/xpcshell/head.js
testing/marionette/driver/marionette_driver/marionette.py
testing/mochitest/tests/Harness_sanity/test_bug816847.html
testing/specialpowers/content/SpecialPowersObserverAPI.js
uriloader/prefetch/OfflineCacheUpdateParent.cpp
--- a/b2g/components/AboutServiceWorkers.jsm
+++ b/b2g/components/AboutServiceWorkers.jsm
@@ -149,21 +149,20 @@ this.AboutServiceWorkers = {
             !message.principal.origin ||
             !message.principal.originAttributes ||
             !message.principal.originAttributes.appId ||
             (message.principal.originAttributes.inBrowser == null)) {
           self.sendError(message.id, "MissingPrincipal");
           return;
         }
 
-        let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
+        let principal = Services.scriptSecurityManager.createCodebasePrincipal(
+          // TODO: Bug 1196652. use originNoSuffix
           Services.io.newURI(message.principal.origin, null, null),
-          message.principal.originAttributes.appId,
-          message.principal.originAttributes.inBrowser
-        );
+          message.principal.originAttributes);
 
         if (!message.scope) {
           self.sendError(message.id, "MissingScope");
           return;
         }
 
         let serviceWorkerUnregisterCallback = {
           unregisterSucceeded: function() {
--- a/b2g/components/ContentPermissionPrompt.js
+++ b/b2g/components/ContentPermissionPrompt.js
@@ -200,19 +200,19 @@ ContentPermissionPrompt.prototype = {
     let appsService = Cc["@mozilla.org/AppsService;1"]
                         .getService(Ci.nsIAppsService);
     let app = appsService.getAppByLocalId(request.principal.appId);
 
     // Check each permission if it's denied by permission manager with app's
     // URL.
     let notDenyAppPrincipal = function(type) {
       let url = Services.io.newURI(app.origin, null, null);
-      let principal = secMan.getAppCodebasePrincipal(url,
-                                                     request.principal.appId,
-                                                     /*mozbrowser*/false);
+      let principal =
+        secMan.createCodebasePrincipal(url,
+                                       {appId: request.principal.appId});
       let result = Services.perms.testExactPermissionFromPrincipal(principal,
                                                                    type.access);
 
       if (result == Ci.nsIPermissionManager.ALLOW_ACTION ||
           result == Ci.nsIPermissionManager.PROMPT_ACTION) {
         type.deny = false;
       }
       return !type.deny;
--- a/caps/nsIScriptSecurityManager.idl
+++ b/caps/nsIScriptSecurityManager.idl
@@ -21,17 +21,17 @@ class DomainPolicyClone;
 }
 }
 %}
 
 [ptr] native JSContextPtr(JSContext);
 [ptr] native JSObjectPtr(JSObject);
 [ptr] native DomainPolicyClonePtr(mozilla::dom::DomainPolicyClone);
 
-[scriptable, uuid(9a8f0b70-6b9f-4e19-8885-7cfe24f4a42d)]
+[scriptable, uuid(73f92674-f59d-4c9b-a9b5-f7a3ae8ffa98)]
 interface nsIScriptSecurityManager : nsISupports
 {
     /**
      * For each of these hooks returning NS_OK means 'let the action continue'.
      * Returning an error code means 'veto the action'. XPConnect will return
      * false to the js engine if the action is vetoed. The implementor of this
      * interface is responsible for setting a JS exception into the JSContext
      * if that is appropriate.
@@ -145,20 +145,22 @@ interface nsIScriptSecurityManager : nsI
      */
     nsIPrincipal getSimpleCodebasePrincipal(in nsIURI aURI);
 
     /**
      * Returns a principal that has the given information.
      * @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID.
      * @param inMozBrowser is true if the principal has to be considered as
      * inside a mozbrowser frame.
+     *
+     * @deprecated use createCodebasePrincipal instead.
      */
-    nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
-                                         in unsigned long appId,
-                                         in boolean inMozBrowser);
+    [deprecated] nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
+                                                      in unsigned long appId,
+                                                      in boolean inMozBrowser);
 
     /**
      * Returns a principal that has the appId and inMozBrowser of the load
      * context.
      * @param loadContext to get appId/inMozBrowser from.
      */
     nsIPrincipal getLoadContextCodebasePrincipal(in nsIURI uri,
                                                  in nsILoadContext loadContext);
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -6,16 +6,17 @@
 
 #include "nsDocShell.h"
 
 #include <algorithm>
 
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/AutoRestore.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Casting.h"
 #include "mozilla/dom/ContentChild.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/dom/TabChild.h"
 #include "mozilla/dom/ProfileTimelineMarkerBinding.h"
 #include "mozilla/dom/ScreenOrientation.h"
 #include "mozilla/dom/ToJSValue.h"
 #include "mozilla/dom/workers/ServiceWorkerManager.h"
@@ -9355,32 +9356,31 @@ nsDocShell::JustStartedNetworkLoad()
   return mDocumentRequest && mDocumentRequest != GetCurrentDocChannel();
 }
 
 nsresult
 nsDocShell::CreatePrincipalFromReferrer(nsIURI* aReferrer,
                                         nsIPrincipal** aResult)
 {
   nsresult rv;
-  nsCOMPtr<nsIScriptSecurityManager> secMan =
-    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  NS_ENSURE_SUCCESS(rv, rv);
 
   uint32_t appId;
   rv = GetAppId(&appId);
   NS_ENSURE_SUCCESS(rv, rv);
   bool isInBrowserElement;
   rv = GetIsInBrowserElement(&isInBrowserElement);
   NS_ENSURE_SUCCESS(rv, rv);
-  rv = secMan->GetAppCodebasePrincipal(aReferrer,
-                                       appId,
-                                       isInBrowserElement,
-                                       aResult);
-  NS_ENSURE_SUCCESS(rv, rv);
-  return NS_OK;
+
+  // TODO: Bug 1165466 - Pass mOriginAttributes directly.
+  OriginAttributes attrs(appId, isInBrowserElement);
+  nsCOMPtr<nsIPrincipal> prin =
+    BasePrincipal::CreateCodebasePrincipal(aReferrer, attrs);
+  prin.forget(aResult);
+
+  return *aResult ? NS_OK : NS_ERROR_FAILURE;
 }
 
 NS_IMETHODIMP
 nsDocShell::InternalLoad(nsIURI* aURI,
                          nsIURI* aReferrer,
                          uint32_t aReferrerPolicy,
                          nsISupports* aOwner,
                          uint32_t aFlags,
--- a/dom/apps/AppsUtils.jsm
+++ b/dom/apps/AppsUtils.jsm
@@ -68,21 +68,19 @@ mozIApplication.prototype = {
   get principal() {
     if (this._principal) {
       return this._principal;
     }
 
     this._principal = null;
 
     try {
-      this._principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
+      this._principal = Services.scriptSecurityManager.createCodebasePrincipal(
         Services.io.newURI(this.origin, null, null),
-        this.localId,
-        false /* mozbrowser */
-      );
+        {appId: this.localId});
     } catch(e) {
       dump("Could not create app principal " + e + "\n");
     }
 
     return this._principal;
   },
 
   QueryInterface: function(aIID) {
--- a/dom/apps/OfflineCacheInstaller.jsm
+++ b/dom/apps/OfflineCacheInstaller.jsm
@@ -223,18 +223,18 @@ function installCache(app) {
   if (!cacheDir.exists())
     return;
 
   let cacheManifest = cacheDir.clone();
   cacheManifest.append('manifest.appcache');
   if (!cacheManifest.exists())
     return;
 
-  let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
-      app.origin, app.localId, false);
+  let principal =
+    Services.scriptSecurityManager.createCodebasePrincipal(app.origin, {appId: aApp.localId});
 
   // If the build has been correctly configured, this should not happen!
   // If we install the cache anyway, it won't be updateable. If we don't install
   // it, the application won't be useable offline.
   let metadataLoaded;
   if (!resourcesMetadata.exists()) {
     // Not debug, since this is something that should be logged always!
     dump("OfflineCacheInstaller: App " + app.appId + " does have an app cache" +
--- a/dom/apps/ScriptPreloader.jsm
+++ b/dom/apps/ScriptPreloader.jsm
@@ -35,17 +35,17 @@ this.ScriptPreloader = {
 
     if (aManifest.precompile &&
         Array.isArray(aManifest.precompile) &&
         aManifest.precompile.length > 0) {
       let origin = Services.io.newURI(aApp.origin, null, null);
       let toLoad = aManifest.precompile.length;
       let principal =
         Services.scriptSecurityManager
-                .getAppCodebasePrincipal(origin, aApp.localId, false);
+                .createCodebasePrincipal(origin, {appId: aApp.localId});
 
       aManifest.precompile.forEach((aPath) => {
         let uri = Services.io.newURI(aPath, null, origin);
         debug("Script to compile: " + uri.spec);
         try {
           Services.scriptloader.precompileScript(uri, principal,
             (aSubject, aTopic, aData) => {
               let uri = aSubject.QueryInterface(Ci.nsIURI);
--- a/dom/apps/Webapps.jsm
+++ b/dom/apps/Webapps.jsm
@@ -815,18 +815,17 @@ this.DOMApplicationRegistry = {
     if (!aManifest) {
       debug("updateDataStore: no manifest for " + aOrigin);
       return;
     }
 
     let uri = Services.io.newURI(aOrigin, null, null);
     let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
                    .getService(Ci.nsIScriptSecurityManager);
-    let principal = secMan.getAppCodebasePrincipal(uri, aId,
-                                                   /*mozbrowser*/ false);
+    let principal = secMan.createCodebasePrincipal(uri, {appId: aId});
     if (!dataStoreService.checkPermission(principal)) {
       return;
     }
 
     if ('datastores-owned' in aManifest) {
       for (let name in aManifest['datastores-owned']) {
         let readonly = "access" in aManifest['datastores-owned'][name]
                          ? aManifest['datastores-owned'][name].access == 'readonly'
@@ -3356,18 +3355,19 @@ this.DOMApplicationRegistry = {
     return true;
   },
 
   _getRequestChannel: function(aFullPackagePath, aIsLocalFileInstall, aOldApp,
                                aNewApp) {
     let requestChannel;
 
     let appURI = NetUtil.newURI(aNewApp.origin, null, null);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
-                      appURI, aNewApp.localId, false);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(appURI,
+                                                             {appId: aNewApp.localId});
 
     if (aIsLocalFileInstall) {
       requestChannel = NetUtil.newChannel({
         uri: aFullPackagePath,
         loadingPrincipal: principal,
         contentPolicyType: Ci.nsIContentPolicy.TYPE_OTHER}
       ).QueryInterface(Ci.nsIFileChannel);
     } else {
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -90,17 +90,16 @@
 #include "nsIDOMElement.h"
 #include "nsIDOMEvent.h"
 #include "nsIDOMOfflineResourceList.h"
 #include "nsDOMString.h"
 #include "nsIEmbeddingSiteWindow.h"
 #include "nsThreadUtils.h"
 #include "nsILoadContext.h"
 #include "nsIPresShell.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsIScrollableFrame.h"
 #include "nsView.h"
 #include "nsViewManager.h"
 #include "nsISelectionController.h"
 #include "nsISelection.h"
 #include "nsIPrompt.h"
 #include "nsIPromptService.h"
 #include "nsIPromptFactory.h"
@@ -187,16 +186,17 @@
 #include "mozilla/dom/GamepadService.h"
 #endif
 
 #include "mozilla/dom/VRDevice.h"
 
 #include "nsRefreshDriver.h"
 
 #include "mozilla/AddonPathService.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
 #include "nsLocation.h"
 #include "nsHTMLDocument.h"
 #include "nsWrapperCacheInlines.h"
 #include "mozilla/DOMEventTargetHelper.h"
 #include "prrng.h"
 #include "nsSandboxFlags.h"
@@ -251,16 +251,18 @@ static PRLogModuleInfo* gDOMLeakPRLog;
 #include <unistd.h> // for getpid()
 #endif
 
 static const char kStorageEnabled[] = "dom.storage.enabled";
 
 using namespace mozilla;
 using namespace mozilla::dom;
 using namespace mozilla::dom::ipc;
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::TimeStamp;
 using mozilla::TimeDuration;
 using mozilla::dom::cache::CacheStorage;
 using mozilla::dom::indexedDB::IDBFactory;
 
 nsGlobalWindow::WindowByIdTable *nsGlobalWindow::sWindowsById = nullptr;
 bool nsGlobalWindow::sWarnedAboutWindowInternal = false;
 bool nsGlobalWindow::sIdleObserversAPIFuzzTimeDisabled = false;
@@ -8582,31 +8584,24 @@ nsGlobalWindow::PostMessageMozOuter(JSCo
       return;
     }
 
     if (NS_FAILED(originURI->SetUserPass(EmptyCString())) ||
         NS_FAILED(originURI->SetPath(EmptyCString()))) {
       return;
     }
 
-    nsCOMPtr<nsIScriptSecurityManager> ssm =
-      nsContentUtils::GetSecurityManager();
-    MOZ_ASSERT(ssm);
-
     nsCOMPtr<nsIPrincipal> principal = nsContentUtils::SubjectPrincipal();
     MOZ_ASSERT(principal);
 
-    uint32_t appId = principal->GetAppId();
-    bool isInBrowser = principal->GetIsInBrowserElement();
-
+    OriginAttributes attrs = BasePrincipal::Cast(principal)->OriginAttributesRef();
     // Create a nsIPrincipal inheriting the app/browser attributes from the
     // caller.
-    nsresult rv = ssm->GetAppCodebasePrincipal(originURI, appId, isInBrowser,
-                                             getter_AddRefs(providedPrincipal));
-    if (NS_WARN_IF(NS_FAILED(rv))) {
+    providedPrincipal = BasePrincipal::CreateCodebasePrincipal(originURI, attrs);
+    if (NS_WARN_IF(!providedPrincipal)) {
       return;
     }
   }
 
   // Create and asynchronously dispatch a runnable which will handle actual DOM
   // event creation and dispatch.
   nsRefPtr<PostMessageEvent> event =
     new PostMessageEvent(nsContentUtils::IsCallerChrome() || !callerInnerWin
--- a/dom/browser-element/BrowserElementParent.js
+++ b/dom/browser-element/BrowserElementParent.js
@@ -828,24 +828,26 @@ BrowserElementParent.prototype = {
     if (_options.referrer) {
       // newURI can throw on malformed URIs.
       try {
         referrer = Services.io.newURI(_options.referrer, null, null);
       }
       catch(e) {
         debug('Malformed referrer -- ' + e);
       }
+
+      // TODO Bug 1165466: use originAttributes from nsILoadContext.
+      let attrs = {appId: this._frameLoader.loadContext.appId,
+                   inBrowser: this._frameLoader.loadContext.isInBrowserElement};
       // This simply returns null if there is no principal available
       // for the requested uri. This is an acceptable fallback when
       // calling newChannelFromURI2.
-      principal = 
-        Services.scriptSecurityManager.getAppCodebasePrincipal(
-          referrer, 
-          this._frameLoader.loadContext.appId, 
-          this._frameLoader.loadContext.isInBrowserElement);
+      principal =
+        Services.scriptSecurityManager.createCodebasePrincipal(
+          referrer, attrs);
     }
 
     debug('Using principal? ' + !!principal);
 
     let channel = 
       Services.io.newChannelFromURI2(url,
                                      null,       // No document. 
                                      principal,  // Loading principal
--- a/dom/browser-element/mochitest/browserElement_Auth.js
+++ b/dom/browser-element/mochitest/browserElement_Auth.js
@@ -153,25 +153,27 @@ function testAuthJarNoInterfere(e) {
   var secMan = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
   var ioService = SpecialPowers.Cc["@mozilla.org/network/io-service;1"]
                   .getService(SpecialPowers.Ci.nsIIOService);
   var uri = ioService.newURI("http://test/tests/dom/browser-element/mochitest/file_http_401_response.sjs", null, null);
 
   // Set a bunch of auth data that should not conflict with the correct auth data already
   // stored in the cache.
-  var principal = secMan.getAppCodebasePrincipal(uri, 1, false);
+  var attrs = {appId: 1};
+  var principal = secMan.createCodebasePrincipal(uri, attrs);
   authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                           'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                           '', 'httpuser', 'wrongpass', false, principal);
-  principal = secMan.getAppCodebasePrincipal(uri, 1, true);
+  attrs = {appId: 1, inBrowser: true};
+  principal = secMan.createCodebasePrincipal(uri, attrs);
   authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                           'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                           '', 'httpuser', 'wrongpass', false, principal);
-  principal = secMan.getAppCodebasePrincipal(uri, secMan.NO_APP_ID, false);
+  principal = secMan.createCodebasePrincipal(uri, {});
   authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                           'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                           '', 'httpuser', 'wrongpass', false, principal);
 
   // Will authenticate with correct password, prompt should not be
   // called again.
   iframe.addEventListener("mozbrowserusernameandpasswordrequired", testFail);
   iframe.addEventListener("mozbrowsertitlechange", function onTitleChange(e) {
@@ -191,17 +193,17 @@ function testAuthJarInterfere(e) {
     .getService(SpecialPowers.Ci.nsIHttpAuthManager);
   var secMan = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
   var ioService = SpecialPowers.Cc["@mozilla.org/network/io-service;1"]
                   .getService(SpecialPowers.Ci.nsIIOService);
   var uri = ioService.newURI("http://test/tests/dom/browser-element/mochitest/file_http_401_response.sjs", null, null);
 
   // Set some auth data that should overwrite the successful stored details.
-  var principal = secMan.getAppCodebasePrincipal(uri, secMan.NO_APP_ID, true);
+  var principal = secMan.createCodebasePrincipal(uri, {inBrowser: true});
   authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                           'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                           '', 'httpuser', 'wrongpass', false, principal);
 
   // Will authenticate with correct password, prompt should not be
   // called again.
   var gotusernamepasswordrequired = false;
   function onUserNameAndPasswordRequired() {
--- a/dom/datastore/DataStoreService.cpp
+++ b/dom/datastore/DataStoreService.cpp
@@ -9,16 +9,17 @@
 #include "DataStoreCallbacks.h"
 #include "DataStoreDB.h"
 #include "DataStoreRevision.h"
 #include "mozilla/dom/DataStore.h"
 #include "mozilla/dom/DataStoreBinding.h"
 #include "mozilla/dom/DataStoreImplBinding.h"
 #include "nsIDataStore.h"
 
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/StaticPtr.h"
 #include "mozilla/dom/ContentChild.h"
 #include "mozilla/dom/ContentParent.h"
 #include "mozilla/dom/DOMError.h"
 #include "mozilla/dom/indexedDB/IDBCursor.h"
 #include "mozilla/dom/indexedDB/IDBObjectStore.h"
@@ -51,16 +52,19 @@
 #include "nsXULAppAPI.h"
 
 #define ASSERT_PARENT_PROCESS()                                             \
   MOZ_ASSERT(XRE_IsParentProcess());                                        \
   if (NS_WARN_IF(!XRE_IsParentProcess())) {                                 \
     return NS_ERROR_FAILURE;                                                \
   }
 
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
+
 namespace mozilla {
 namespace dom {
 
 using namespace indexedDB;
 
 // This class contains all the information about a DataStore.
 class DataStoreInfo
 {
@@ -208,27 +212,20 @@ ResetPermission(uint32_t aAppId, const n
 
   nsCOMPtr<nsIURI> uri;
   rv = ioService->NewURI(NS_ConvertUTF16toUTF8(aOriginURL), nullptr, nullptr,
                          getter_AddRefs(uri));
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-  if (!ssm) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsCOMPtr<nsIPrincipal> principal;
-  rv = ssm->GetAppCodebasePrincipal(uri, aAppId, false,
-                                    getter_AddRefs(principal));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
+  OriginAttributes attrs(aAppId, false);
+  nsCOMPtr<nsIPrincipal> principal =
+    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
 
   nsCOMPtr<nsIPermissionManager> pm =
     do_GetService(NS_PERMISSIONMANAGER_CONTRACTID);
   if (!pm) {
     return NS_ERROR_FAILURE;
   }
 
   nsCString basePermission;
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@@ -18514,22 +18514,16 @@ FactoryOp::CheckAtLeastOneAppHasPermissi
       return false;
     }
 
     nsCOMPtr<nsIIOService> ioService = do_GetIOService();
     if (NS_WARN_IF(!ioService)) {
       return false;
     }
 
-    nsCOMPtr<nsIScriptSecurityManager> secMan =
-      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-    if (NS_WARN_IF(!secMan)) {
-      return false;
-    }
-
     nsCOMPtr<nsIPermissionManager> permMan =
       mozilla::services::GetPermissionManager();
     if (NS_WARN_IF(!permMan)) {
       return false;
     }
 
     const nsPromiseFlatCString permissionString =
       PromiseFlatCString(aPermissionString);
@@ -18543,34 +18537,19 @@ FactoryOp::CheckAtLeastOneAppHasPermissi
                  appId != nsIScriptSecurityManager::NO_APP_ID);
 
       nsCOMPtr<mozIApplication> app;
       nsresult rv = appsService->GetAppByLocalId(appId, getter_AddRefs(app));
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return false;
       }
 
-      nsString origin;
-      rv = app->GetOrigin(origin);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return false;
-      }
-
-      nsCOMPtr<nsIURI> uri;
-      rv = NS_NewURI(getter_AddRefs(uri), origin, nullptr, nullptr, ioService);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return false;
-      }
-
       nsCOMPtr<nsIPrincipal> principal;
-      rv = secMan->GetAppCodebasePrincipal(uri, appId, false,
-                                           getter_AddRefs(principal));
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return false;
-      }
+      app->GetPrincipal(getter_AddRefs(principal));
+      NS_ENSURE_TRUE(principal, false);
 
       uint32_t permission;
       rv = permMan->TestExactPermissionFromPrincipal(principal,
                                                      permissionString.get(),
                                                      &permission);
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return false;
       }
--- a/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
+++ b/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
@@ -87,18 +87,19 @@ function testSteps()
                          .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
 
   function openDatabase(params) {
     let request;
     if ("url" in params) {
       let uri = ios.newURI(params.url, null, null);
       let principal;
       if ("appId" in params) {
-        principal = ssm.getAppCodebasePrincipal(uri, params.appId,
-                                                params.inMozBrowser);
+        principal =
+          ssm.createCodebasePrincipal(uri, {appId: params.appId,
+                                            inBrowser: params.inMozBrowser});
       } else {
         principal = ssm.getNoAppCodebasePrincipal(uri);
       }
       if ("dbVersion" in params) {
         request = indexedDB.openForPrincipal(principal, params.dbName,
                                              params.dbVersion);
       } else {
         request = indexedDB.openForPrincipal(principal, params.dbName,
--- a/dom/ipc/AppProcessChecker.cpp
+++ b/dom/ipc/AppProcessChecker.cpp
@@ -7,17 +7,16 @@
 #include "AppProcessChecker.h"
 #include "nsIPermissionManager.h"
 #ifdef MOZ_CHILD_PERMISSIONS
 #include "ContentParent.h"
 #include "mozIApplication.h"
 #include "mozilla/hal_sandbox/PHalParent.h"
 #include "nsIAppsService.h"
 #include "nsIPrincipal.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsPrintfCString.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "nsServiceManagerUtils.h"
 #include "TabParent.h"
 
 #include <algorithm>
 
@@ -227,31 +226,20 @@ already_AddRefed<nsIPrincipal>
 GetAppPrincipal(uint32_t aAppId)
 {
   nsCOMPtr<nsIAppsService> appsService = do_GetService(APPS_SERVICE_CONTRACTID);
 
   nsCOMPtr<mozIApplication> app;
   nsresult rv = appsService->GetAppByLocalId(aAppId, getter_AddRefs(app));
   NS_ENSURE_SUCCESS(rv, nullptr);
 
-  nsString origin;
-  rv = app->GetOrigin(origin);
-  NS_ENSURE_SUCCESS(rv, nullptr);
-
-  nsCOMPtr<nsIURI> uri;
-  NS_NewURI(getter_AddRefs(uri), origin);
+  nsCOMPtr<nsIPrincipal> principal;
+  app->GetPrincipal(getter_AddRefs(principal));
 
-  nsCOMPtr<nsIScriptSecurityManager> secMan =
-    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-
-  nsCOMPtr<nsIPrincipal> appPrincipal;
-  rv = secMan->GetAppCodebasePrincipal(uri, aAppId, false,
-                                       getter_AddRefs(appPrincipal));
-  NS_ENSURE_SUCCESS(rv, nullptr);
-  return appPrincipal.forget();
+  return principal.forget();
 }
 
 uint32_t
 CheckPermission(PContentParent* aActor,
                 nsIPrincipal* aPrincipal,
                 const char* aPermission)
 {
   if (!AssertAppPrincipal(aActor, aPrincipal)) {
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@@ -1557,33 +1557,25 @@ void
 TabChild::MaybeRequestPreinitCamera()
 {
     // Check if this tab will use the `camera` permission.
     nsCOMPtr<nsIAppsService> appsService = do_GetService("@mozilla.org/AppsService;1");
     if (NS_WARN_IF(!appsService)) {
       return;
     }
 
-    nsString manifestUrl = EmptyString();
-    appsService->GetManifestURLByLocalId(OwnAppId(), manifestUrl);
-    nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-    if (NS_WARN_IF(!secMan)) {
-      return;
-    }
-
-    nsCOMPtr<nsIURI> uri;
-    nsresult rv = NS_NewURI(getter_AddRefs(uri), manifestUrl);
+    nsCOMPtr<mozIApplication> app;
+    nsresult rv = appsService->GetAppByLocalId(OwnAppId(), getter_AddRefs(app));
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return;
     }
 
     nsCOMPtr<nsIPrincipal> principal;
-    rv = secMan->GetAppCodebasePrincipal(uri, OwnAppId(), false,
-                                         getter_AddRefs(principal));
-    if (NS_WARN_IF(NS_FAILED(rv))) {
+    app->GetPrincipal(getter_AddRefs(principal));
+    if (NS_WARN_IF(!principal)) {
       return;
     }
 
     uint16_t status = nsIPrincipal::APP_STATUS_NOT_INSTALLED;
     principal->GetAppStatus(&status);
     bool isCertified = status == nsIPrincipal::APP_STATUS_CERTIFIED;
     if (!isCertified) {
       return;
--- a/dom/payment/Payment.jsm
+++ b/dom/payment/Payment.jsm
@@ -231,18 +231,19 @@ let PaymentManager =  {
         };
 
 #ifdef MOZ_B2G
         // Let this payment provider access the firefox-accounts API when
         // it's loaded in the trusted UI.
         if (systemAppId != Ci.nsIScriptSecurityManager.NO_APP_ID) {
           this.LOG("Granting firefox-accounts permission to " + provider.uri);
           let uri = Services.io.newURI(provider.uri, null, null);
-          let principal = Services.scriptSecurityManager
-                            .getAppCodebasePrincipal(uri, systemAppId, true);
+          let attrs = {appId: systemAppId, inBrowser: true};
+          let principal =
+            Services.scriptSecurityManager.createCodebasePrincipal(uri, attrs);
 
           Services.perms.addFromPrincipal(principal, "firefox-accounts",
                                           Ci.nsIPermissionManager.ALLOW_ACTION,
                                           Ci.nsIPermissionManager.EXPIRE_SESSION);
         }
 #endif
 
         if (this._debug) {
--- a/dom/permission/PermissionSettings.js
+++ b/dom/permission/PermissionSettings.js
@@ -30,20 +30,24 @@ function PermissionSettings()
 
 XPCOMUtils.defineLazyServiceGetter(this,
                                    "appsService",
                                    "@mozilla.org/AppsService;1",
                                    "nsIAppsService");
 
 PermissionSettings.prototype = {
   get: function get(aPermName, aManifestURL, aOrigin, aBrowserFlag) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
     debug("Get called with: " + aPermName + ", " + aManifestURL + ", " + aOrigin + ", " + aBrowserFlag);
     let uri = Services.io.newURI(aOrigin, null, null);
     let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, aBrowserFlag);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(uri,
+                                                             {appId: appID,
+                                                              inBrowser: aBrowserFlag});
     let result = Services.perms.testExactPermanentPermission(principal, aPermName);
 
     switch (result)
     {
       case Ci.nsIPermissionManager.UNKNOWN_ACTION:
         return "unknown";
       case Ci.nsIPermissionManager.ALLOW_ACTION:
         return "allow";
@@ -54,21 +58,22 @@ PermissionSettings.prototype = {
       default:
         dump("Unsupported PermissionSettings Action!\n");
         return "unknown";
     }
   },
 
   isExplicit: function isExplicit(aPermName, aManifestURL, aOrigin,
                                   aBrowserFlag) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
     debug("isExplicit: " + aPermName + ", " + aManifestURL + ", " + aOrigin);
     let uri = Services.io.newURI(aOrigin, null, null);
     let app = appsService.getAppByManifestURL(aManifestURL);
     let principal = Services.scriptSecurityManager
-      .getAppCodebasePrincipal(uri, app.localId, aBrowserFlag);
+      .createCodebasePrincipal(uri, {appId: app.localId, inBrowser: aBrowserFlag});
 
     return isExplicitInPermissionsTable(aPermName,
                                         principal.appStatus,
                                         app.kind);
   },
 
   set: function set(aPermName, aPermValue, aManifestURL, aOrigin,
                     aBrowserFlag) {
@@ -94,19 +99,23 @@ PermissionSettings.prototype = {
       origin: aOrigin,
       manifestURL: aManifestURL,
       value: aPermValue,
       browserFlag: aBrowserFlag
     });
   },
 
   remove: function remove(aPermName, aManifestURL, aOrigin) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
     let uri = Services.io.newURI(aOrigin, null, null);
     let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, true);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(uri,
+                                                             {appId: appID,
+                                                              inBrowser: true});
 
     if (principal.appStatus !== Ci.nsIPrincipal.APP_STATUS_NOT_INSTALLED) {
       let errorMsg = "PermissionSettings.js: '" + aOrigin + "'" +
                      " is installed or permission is implicit, cannot remove '" +
                      aPermName + "'.";
       Cu.reportError(errorMsg);
       throw new Components.Exception(errorMsg);
     }
--- a/dom/permission/PermissionSettings.jsm
+++ b/dom/permission/PermissionSettings.jsm
@@ -62,19 +62,23 @@ this.PermissionSettingsModule = {
   addPermission: function addPermission(aData, aCallbacks) {
 
     this._internalAddPermission(aData, true, aCallbacks);
 
   },
 
 
   _internalAddPermission: function _internalAddPermission(aData, aAllowAllChanges, aCallbacks) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.jsm
     let uri = Services.io.newURI(aData.origin, null, null);
     let app = appsService.getAppByManifestURL(aData.manifestURL);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, app.localId, aData.browserFlag);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(uri,
+                                                             {appId: app.localId,
+                                                              inBrowser: aData.browserFlag});
 
     let action;
     switch (aData.value)
     {
       case "unknown":
         action = Ci.nsIPermissionManager.UNKNOWN_ACTION;
         break;
       case "allow":
@@ -98,20 +102,24 @@ this.PermissionSettingsModule = {
       return true;
     } else {
       debug("add Failure: " + aData.origin + " " + app.localId + " " + action);
       return false; // This isn't currently used, see comment on setPermission
     }
   },
 
   getPermission: function getPermission(aPermName, aManifestURL, aOrigin, aBrowserFlag) {
+    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.jsm
     debug("getPermission: " + aPermName + ", " + aManifestURL + ", " + aOrigin);
     let uri = Services.io.newURI(aOrigin, null, null);
     let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, aBrowserFlag);
+    let principal =
+      Services.scriptSecurityManager.createCodebasePrincipal(uri,
+                                                             {appId: appID,
+                                                              inBrowser: aBrowserFlag});
     let result = Services.perms.testExactPermissionFromPrincipal(principal, aPermName);
 
     switch (result)
     {
       case Ci.nsIPermissionManager.UNKNOWN_ACTION:
         return "unknown";
       case Ci.nsIPermissionManager.ALLOW_ACTION:
         return "allow";
--- a/dom/quota/QuotaManager.cpp
+++ b/dom/quota/QuotaManager.cpp
@@ -5283,20 +5283,19 @@ StorageDirectoryHelper::RunOnMainThread(
           return rv;
         }
 
         nsCOMPtr<nsIPrincipal> principal;
         if (originProps.mAppId == kUnknownAppId) {
           rv = secMan->GetSimpleCodebasePrincipal(uri,
                                                   getter_AddRefs(principal));
         } else {
-          rv = secMan->GetAppCodebasePrincipal(uri,
-                                               originProps.mAppId,
-                                               originProps.mInMozBrowser,
-                                               getter_AddRefs(principal));
+          OriginAttributes attrs(originProps.mAppId, originProps.mInMozBrowser);
+          principal = BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+          rv = principal ? NS_OK : NS_ERROR_FAILURE;
         }
         if (NS_WARN_IF(NS_FAILED(rv))) {
           return rv;
         }
 
         if (mCreate) {
           rv = QuotaManager::GetInfoFromPrincipal(principal,
                                                   &originProps.mGroup,
--- a/extensions/cookie/nsPermissionManager.cpp
+++ b/extensions/cookie/nsPermissionManager.cpp
@@ -121,20 +121,23 @@ GetPrincipalFromOrigin(const nsACString&
   principal.forget(aPrincipal);
   return NS_OK;
 }
 
 
 nsresult
 GetPrincipal(nsIURI* aURI, uint32_t aAppId, bool aIsInBrowserElement, nsIPrincipal** aPrincipal)
 {
-  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
-  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
-
-  return secMan->GetAppCodebasePrincipal(aURI, aAppId, aIsInBrowserElement, aPrincipal);
+  // TODO: Bug 1165267 - Use OriginAttributes for nsCookieService
+  mozilla::OriginAttributes attrs(aAppId, aIsInBrowserElement);
+  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+
+  principal.forget(aPrincipal);
+  return NS_OK;
 }
 
 nsresult
 GetPrincipal(nsIURI* aURI, nsIPrincipal** aPrincipal)
 {
   nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
   NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
 
--- a/extensions/cookie/test/test_app_uninstall_permissions.html
+++ b/extensions/cookie/test/test_app_uninstall_permissions.html
@@ -62,29 +62,32 @@ var gManifestURL = "http://www.example.c
 
 function onInstall() {
   var testAppId = appsService.getAppLocalIdByManifestURL(gManifestURL);
 
   is(getPermissionCountForApp(testAppId), 0, "App should have no permission");
 
   var currentPermissionCount = getPermissionCountForApp(-1);
 
-  var principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
-                                                 testAppId, false);
+  var attrs = {appId: testAppId};
+  var principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
+                                                 attrs);
 
   permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);
   permManager.addFromPrincipal(principal, "foo", Ci.nsIPermissionManager.DENY_ACTION);
   permManager.addFromPrincipal(principal, "bar", Ci.nsIPermissionManager.ALLOW_ACTION, Ci.nsIPermissionManager.EXPIRE_SESSION, 0);
 
-  principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
-                                             testAppId, true);
+  attrs = {appId: testAppId, inBrowser: true};
+  principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
+                                             attrs);
   permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);
 
-  principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.org", null, null),
-                                             testAppId, false);
+  attrs = {appId: testAppId};
+  principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.org", null, null),
+                                             attrs);
   permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   is(getPermissionCountForApp(testAppId), 5, "App should have 5 permissions");
 
   // Not installed means not installed as native app.
   navigator.mozApps.mgmt.getNotInstalled().onsuccess = function() {
     for (i in this.result) {
       var app = this.result[i];
--- a/extensions/cookie/test/unit/test_permmanager_cleardata.js
+++ b/extensions/cookie/test/unit/test_permmanager_cleardata.js
@@ -1,17 +1,18 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 let pm;
 
 // Create a principal based on the { origin, appId, browserElement }.
 function createPrincipal(aOrigin, aAppId, aBrowserElement)
 {
-  return Services.scriptSecurityManager.getAppCodebasePrincipal(NetUtil.newURI(aOrigin), aAppId, aBrowserElement);
+  var attrs = {appId: aAppId, inBrowser: aBrowserElement};
+  return Services.scriptSecurityManager.createCodebasePrincipal(NetUtil.newURI(aOrigin), attrs);
 }
 
 // Return the subject required by 'webapps-clear-data' notification.
 function getSubject(aAppId, aBrowserOnly)
 {
   return {
     appId: aAppId,
     browserOnly: aBrowserOnly,
--- a/extensions/cookie/test/unit/test_permmanager_defaults.js
+++ b/extensions/cookie/test/unit/test_permmanager_defaults.js
@@ -50,18 +50,19 @@ add_task(function* do_test() {
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
 
   // test the default permission was applied.
   let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN);
   let principalHttps = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_HTTPS);
   let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_2);
   let principal3 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_3);
-  let principal4 = Services.scriptSecurityManager.getAppCodebasePrincipal(TEST_ORIGIN, 1000, true);
-  let principal5 = Services.scriptSecurityManager.getAppCodebasePrincipal(TEST_ORIGIN_3, 1000, true);
+  let attrs = {appId: 1000, inBrowser: true};
+  let principal4 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, attrs);
+  let principal5 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, attrs);
 
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principal, TEST_PERMISSION));
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principalHttps, TEST_PERMISSION));
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principal3, TEST_PERMISSION));
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
--- a/extensions/cookie/test/unit/test_permmanager_matches.js
+++ b/extensions/cookie/test/unit/test_permmanager_matches.js
@@ -40,43 +40,47 @@ function run_test() {
 
   let uri0_n_n = secMan.getNoAppCodebasePrincipal(uri0);
   let uri1_n_n = secMan.getNoAppCodebasePrincipal(uri1);
   let uri2_n_n = secMan.getNoAppCodebasePrincipal(uri2);
   let uri3_n_n = secMan.getNoAppCodebasePrincipal(uri3);
   let uri4_n_n = secMan.getNoAppCodebasePrincipal(uri4);
   let uri5_n_n = secMan.getNoAppCodebasePrincipal(uri5);
 
-  let uri0_1000_n = secMan.getAppCodebasePrincipal(uri0, 1000, false);
-  let uri1_1000_n = secMan.getAppCodebasePrincipal(uri1, 1000, false);
-  let uri2_1000_n = secMan.getAppCodebasePrincipal(uri2, 1000, false);
-  let uri3_1000_n = secMan.getAppCodebasePrincipal(uri3, 1000, false);
-  let uri4_1000_n = secMan.getAppCodebasePrincipal(uri4, 1000, false);
-  let uri5_1000_n = secMan.getAppCodebasePrincipal(uri5, 1000, false);
+  let attrs = {appId: 1000};
+  let uri0_1000_n = secMan.createCodebasePrincipal(uri0, attrs);
+  let uri1_1000_n = secMan.createCodebasePrincipal(uri1, attrs);
+  let uri2_1000_n = secMan.createCodebasePrincipal(uri2, attrs);
+  let uri3_1000_n = secMan.createCodebasePrincipal(uri3, attrs);
+  let uri4_1000_n = secMan.createCodebasePrincipal(uri4, attrs);
+  let uri5_1000_n = secMan.createCodebasePrincipal(uri5, attrs);
 
-  let uri0_1000_y = secMan.getAppCodebasePrincipal(uri0, 1000, true);
-  let uri1_1000_y = secMan.getAppCodebasePrincipal(uri1, 1000, true);
-  let uri2_1000_y = secMan.getAppCodebasePrincipal(uri2, 1000, true);
-  let uri3_1000_y = secMan.getAppCodebasePrincipal(uri3, 1000, true);
-  let uri4_1000_y = secMan.getAppCodebasePrincipal(uri4, 1000, true);
-  let uri5_1000_y = secMan.getAppCodebasePrincipal(uri5, 1000, true);
+  attrs = {appId: 1000, inBrowser: true};
+  let uri0_1000_y = secMan.createCodebasePrincipal(uri0, attrs);
+  let uri1_1000_y = secMan.createCodebasePrincipal(uri1, attrs);
+  let uri2_1000_y = secMan.createCodebasePrincipal(uri2, attrs);
+  let uri3_1000_y = secMan.createCodebasePrincipal(uri3, attrs);
+  let uri4_1000_y = secMan.createCodebasePrincipal(uri4, attrs);
+  let uri5_1000_y = secMan.createCodebasePrincipal(uri5, attrs);
 
-  let uri0_2000_n = secMan.getAppCodebasePrincipal(uri0, 2000, false);
-  let uri1_2000_n = secMan.getAppCodebasePrincipal(uri1, 2000, false);
-  let uri2_2000_n = secMan.getAppCodebasePrincipal(uri2, 2000, false);
-  let uri3_2000_n = secMan.getAppCodebasePrincipal(uri3, 2000, false);
-  let uri4_2000_n = secMan.getAppCodebasePrincipal(uri4, 2000, false);
-  let uri5_2000_n = secMan.getAppCodebasePrincipal(uri5, 2000, false);
+  attrs = {appId: 2000};
+  let uri0_2000_n = secMan.createCodebasePrincipal(uri0, attrs);
+  let uri1_2000_n = secMan.createCodebasePrincipal(uri1, attrs);
+  let uri2_2000_n = secMan.createCodebasePrincipal(uri2, attrs);
+  let uri3_2000_n = secMan.createCodebasePrincipal(uri3, attrs);
+  let uri4_2000_n = secMan.createCodebasePrincipal(uri4, attrs);
+  let uri5_2000_n = secMan.createCodebasePrincipal(uri5, attrs);
 
-  let uri0_2000_y = secMan.getAppCodebasePrincipal(uri0, 2000, true);
-  let uri1_2000_y = secMan.getAppCodebasePrincipal(uri1, 2000, true);
-  let uri2_2000_y = secMan.getAppCodebasePrincipal(uri2, 2000, true);
-  let uri3_2000_y = secMan.getAppCodebasePrincipal(uri3, 2000, true);
-  let uri4_2000_y = secMan.getAppCodebasePrincipal(uri4, 2000, true);
-  let uri5_2000_y = secMan.getAppCodebasePrincipal(uri5, 2000, true);
+  attrs = {appId: 2000, inBrowser: true};
+  let uri0_2000_y = secMan.createCodebasePrincipal(uri0, attrs);
+  let uri1_2000_y = secMan.createCodebasePrincipal(uri1, attrs);
+  let uri2_2000_y = secMan.createCodebasePrincipal(uri2, attrs);
+  let uri3_2000_y = secMan.createCodebasePrincipal(uri3, attrs);
+  let uri4_2000_y = secMan.createCodebasePrincipal(uri4, attrs);
+  let uri5_2000_y = secMan.createCodebasePrincipal(uri5, attrs);
 
   pm.addFromPrincipal(uri0_n_n, "test/matches", pm.ALLOW_ACTION);
   let perm_n_n = pm.getPermissionObject(uri0_n_n, "test/matches", true);
   pm.addFromPrincipal(uri0_1000_n, "test/matches", pm.ALLOW_ACTION);
   let perm_1000_n = pm.getPermissionObject(uri0_1000_n, "test/matches", true);
   pm.addFromPrincipal(uri0_1000_y, "test/matches", pm.ALLOW_ACTION);
   let perm_1000_y = pm.getPermissionObject(uri0_1000_y, "test/matches", true);
   pm.addFromPrincipal(uri0_2000_n, "test/matches", pm.ALLOW_ACTION);
--- a/extensions/cookie/test/unit/test_permmanager_matchesuri.js
+++ b/extensions/cookie/test/unit/test_permmanager_matchesuri.js
@@ -25,18 +25,19 @@ function matches_never(perm, uris) {
 function mk_permission(uri, isAppPermission = false) {
   let pm = Cc["@mozilla.org/permissionmanager;1"].
         getService(Ci.nsIPermissionManager);
 
   let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
         .getService(Ci.nsIScriptSecurityManager);
 
   // Get the permission from the principal!
+  let attrs = {appId: 1000};
   let principal = isAppPermission ?
-        secMan.getAppCodebasePrincipal(uri, 1000, false) :
+        secMan.createCodebasePrincipal(uri, attrs) :
         secMan.getNoAppCodebasePrincipal(uri);
 
   pm.addFromPrincipal(principal, "test/matchesuri", pm.ALLOW_ACTION);
   let permission = pm.getPermissionObject(principal, "test/matchesuri", true);
 
   return permission;
 }
 
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@@ -1,16 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "BackgroundUtils.h"
 
 #include "MainThreadUtils.h"
 #include "mozilla/Assertions.h"
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/ipc/PBackgroundSharedTypes.h"
 #include "mozilla/net/NeckoChannelParams.h"
 #include "nsPrincipal.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "mozilla/LoadInfo.h"
 #include "nsNullPrincipal.h"
@@ -18,16 +19,18 @@
 #include "nsString.h"
 #include "nsTArray.h"
 
 namespace mozilla {
 namespace net {
 class OptionalLoadInfoArgs;
 }
 
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using namespace mozilla::net;
 
 namespace ipc {
 
 already_AddRefed<nsIPrincipal>
 PrincipalInfoToPrincipal(const PrincipalInfo& aPrincipalInfo,
                          nsresult* aOptionalResult)
 {
@@ -72,20 +75,20 @@ PrincipalInfoToPrincipal(const Principal
       rv = NS_NewURI(getter_AddRefs(uri), info.spec());
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return nullptr;
       }
 
       if (info.appId() == nsIScriptSecurityManager::UNKNOWN_APP_ID) {
         rv = secMan->GetSimpleCodebasePrincipal(uri, getter_AddRefs(principal));
       } else {
-        rv = secMan->GetAppCodebasePrincipal(uri,
-                                             info.appId(),
-                                             info.isInBrowserElement(),
-                                             getter_AddRefs(principal));
+        // TODO: Bug 1167100 - User nsIPrincipal.originAttribute in ContentPrincipalInfo
+        OriginAttributes attrs(info.appId(), info.isInBrowserElement());
+        principal = BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+        rv = principal ? NS_OK : NS_ERROR_FAILURE;
       }
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return nullptr;
       }
 
       return principal.forget();
     }
 
--- a/netwerk/cookie/CookieServiceParent.cpp
+++ b/netwerk/cookie/CookieServiceParent.cpp
@@ -2,48 +2,51 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/net/CookieServiceParent.h"
 #include "mozilla/dom/PContentParent.h"
 #include "mozilla/net/NeckoParent.h"
 
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "nsCookieService.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsIPrivateBrowsingChannel.h"
 #include "nsNetCID.h"
 #include "nsPrintfCString.h"
 #include "SerializedLoadContext.h"
 
 using namespace mozilla::ipc;
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::dom::PContentParent;
 using mozilla::net::NeckoParent;
 
 namespace {
 
 // Ignore failures from this function, as they only affect whether we do or
 // don't show a dialog box in private browsing mode if the user sets a pref.
 void
 CreateDummyChannel(nsIURI* aHostURI, uint32_t aAppId, bool aInMozBrowser,
                    bool aIsPrivate, nsIChannel **aChannel)
 {
   MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
 
-  nsCOMPtr<nsIPrincipal> principal;
-  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-  nsresult rv = ssm->GetAppCodebasePrincipal(aHostURI, aAppId, aInMozBrowser,
-                                             getter_AddRefs(principal));
-  if (NS_FAILED(rv)) {
+  // TODO: Bug 1165267 - Use OriginAttributes for nsCookieService 
+  OriginAttributes attrs(aAppId, aInMozBrowser);
+  nsCOMPtr<nsIPrincipal> principal =
+    BasePrincipal::CreateCodebasePrincipal(aHostURI, attrs);
+  if (!principal) {
     return;
   }
 
   nsCOMPtr<nsIURI> dummyURI;
-  rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
+  nsresult rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
   if (NS_FAILED(rv)) {
       return;
   }
 
   nsCOMPtr<nsIChannel> dummyChannel;
   NS_NewChannel(getter_AddRefs(dummyChannel), dummyURI, principal,
                 nsILoadInfo::SEC_NORMAL, nsIContentPolicy::TYPE_INVALID);
   nsCOMPtr<nsIPrivateBrowsingChannel> pbChannel = do_QueryInterface(dummyChannel);
--- a/netwerk/protocol/http/HttpChannelParent.cpp
+++ b/netwerk/protocol/http/HttpChannelParent.cpp
@@ -12,34 +12,36 @@
 #include "mozilla/dom/TabParent.h"
 #include "mozilla/net/NeckoParent.h"
 #include "mozilla/unused.h"
 #include "HttpChannelParentListener.h"
 #include "nsHttpHandler.h"
 #include "nsNetUtil.h"
 #include "nsISupportsPriority.h"
 #include "nsIAuthPromptProvider.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsSerializationHelper.h"
 #include "nsISerializable.h"
 #include "nsIAssociatedContentSecurity.h"
 #include "nsIApplicationCacheService.h"
 #include "mozilla/ipc/InputStreamUtils.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "SerializedLoadContext.h"
 #include "nsIAuthInformation.h"
 #include "nsIAuthPromptCallback.h"
 #include "nsIContentPolicy.h"
 #include "mozilla/ipc/BackgroundUtils.h"
 #include "nsIOService.h"
 #include "nsICachingChannel.h"
 #include "mozilla/LoadInfo.h"
 #include "nsIHttpHeaderVisitor.h"
 #include "nsQueryObject.h"
+#include "mozilla/BasePrincipal.h"
 
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using namespace mozilla::dom;
 using namespace mozilla::ipc;
 
 namespace mozilla {
 namespace net {
 
 HttpChannelParent::HttpChannelParent(const PBrowserOrId& iframeEmbedding,
                                      nsILoadContext* aLoadContext,
@@ -451,27 +453,25 @@ HttpChannelParent::DoAsyncOpen(  const U
     }
 
     if (setChooseApplicationCache) {
       bool inBrowser = false;
       if (mLoadContext) {
         mLoadContext->GetIsInBrowserElement(&inBrowser);
       }
 
+      // TODO: Bug 1165466 - use originAttribute in nsILoadContext.
+      OriginAttributes attrs(appId, inBrowser);
+      nsCOMPtr<nsIPrincipal> principal =
+        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+
       bool chooseAppCache = false;
-      nsCOMPtr<nsIScriptSecurityManager> secMan =
-        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-      if (secMan) {
-        nsCOMPtr<nsIPrincipal> principal;
-        secMan->GetAppCodebasePrincipal(uri, appId, inBrowser, getter_AddRefs(principal));
-
-        // This works because we've already called SetNotificationCallbacks and
-        // done mPBOverride logic by this point.
-        chooseAppCache = NS_ShouldCheckAppCache(principal, NS_UsePrivateBrowsing(mChannel));
-      }
+      // This works because we've already called SetNotificationCallbacks and
+      // done mPBOverride logic by this point.
+      chooseAppCache = NS_ShouldCheckAppCache(principal, NS_UsePrivateBrowsing(mChannel));
 
       appCacheChan->SetChooseApplicationCache(chooseAppCache);
     }
   }
 
   nsID schedulingContextID;
   schedulingContextID.Parse(aSchedulingContextID.BeginReading());
   mChannel->SetSchedulingContextID(schedulingContextID);
--- a/netwerk/test/unit/test_auth_jar.js
+++ b/netwerk/test/unit/test_auth_jar.js
@@ -8,19 +8,19 @@ function createURI(s) {
 }
  
 function run_test() {
   // Set up a profile.
   do_get_profile();
 
   var secMan = Cc["@mozilla.org/scriptsecuritymanager;1"].getService(Ci.nsIScriptSecurityManager);
   const kURI1 = "http://example.com";
-  var app1 = secMan.getAppCodebasePrincipal(createURI(kURI1), 1, false);
-  var app10 = secMan.getAppCodebasePrincipal(createURI(kURI1), 10, false);
-  var app1browser = secMan.getAppCodebasePrincipal(createURI(kURI1), 1, true);
+  var app1 = secMan.createCodebasePrincipal(createURI(kURI1), {appId: 1});
+  var app10 = secMan.createCodebasePrincipal(createURI(kURI1),{appId: 10});
+  var app1browser = secMan.createCodebasePrincipal(createURI(kURI1), {appId: 1, inBrowser: true});
 
   var am = Cc["@mozilla.org/network/http-auth-manager;1"].
            getService(Ci.nsIHttpAuthManager);
   am.setAuthIdentity("http", "a.example.com", -1, "basic", "realm", "", "example.com", "user", "pass", false, app1);
   am.setAuthIdentity("http", "a.example.com", -1, "basic", "realm", "", "example.com", "user3", "pass3", false, app1browser);
   am.setAuthIdentity("http", "a.example.com", -1, "basic", "realm", "", "example.com", "user2", "pass2", false, app10);
 
   let subject = {
--- a/services/fxaccounts/tests/xpcshell/test_manager.js
+++ b/services/fxaccounts/tests/xpcshell/test_manager.js
@@ -20,17 +20,17 @@ let deletedOnServer = false;
 // Global representing FxAccounts state
 let certExpired = false;
 
 // Mock RP
 function makePrincipal(origin, appId) {
   let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
                  .getService(Ci.nsIScriptSecurityManager);
   let uri = Services.io.newURI(origin, null, null);
-  return secMan.getAppCodebasePrincipal(uri, appId, false);
+  return secMan.createCodebasePrincipal(uri, {appId: appId});
 }
 let principal = makePrincipal('app://settings.gaiamobile.org', 27, false);
 
 // For override FxAccountsUIGlue.
 let fakeFxAccountsUIGlueCID;
 
 // FxAccountsUIGlue fake component.
 let FxAccountsUIGlue = {
--- a/services/mobileid/MobileIdentityManager.jsm
+++ b/services/mobileid/MobileIdentityManager.jsm
@@ -892,19 +892,17 @@ this.MobileIdentityManager = {
     );
 
     return deferred.promise;
   },
 
   getMobileIdAssertion: function(aPrincipal, aPromiseId, aOptions) {
     log.debug("getMobileIdAssertion ${}", aPrincipal);
 
-    let uri = Services.io.newURI(aPrincipal.origin, null, null);
-    let principal = securityManager.getAppCodebasePrincipal(
-      uri, aPrincipal.appId, aPrincipal.isInBrowserElement);
+    let principal = aPrincipal;
     let manifestURL = appsService.getManifestURLByLocalId(aPrincipal.appId);
 
     let permission = permissionManager.testPermissionFromPrincipal(
       principal,
       MOBILEID_PERM
     );
 
     if (permission == Ci.nsIPermissionManager.DENY_ACTION ||
--- a/services/mobileid/tests/xpcshell/head.js
+++ b/services/mobileid/tests/xpcshell/head.js
@@ -120,31 +120,33 @@ const INVALID_RADIO_INTERFACE = {
 const CERTIFICATE = "eyJhbGciOiJEUzI1NiJ9.eyJsYXN0QXV0aEF0IjoxNDA0NDY5NzkyODc3LCJ2ZXJpZmllZE1TSVNETiI6IiszMTYxNzgxNTc1OCIsInB1YmxpYy1rZXkiOnsiYWxnb3JpdGhtIjoiRFMiLCJ5IjoiNGE5YzkzNDY3MWZhNzQ3YmM2ZjMyNjE0YTg1MzUyZjY5NDcwMDdhNTRkMDAxMDY4OWU5ZjJjZjc0ZGUwYTEwZTRlYjlmNDk1ZGFmZTA0NGVjZmVlNDlkN2YwOGU4ODQyMDJiOTE5OGRhNWZhZWE5MGUzZjRmNzE1YzZjNGY4Yjc3MGYxZTU4YWZhNDM0NzVhYmFiN2VlZGE1MmUyNjk2YzFmNTljNzMzYjFlYzBhNGNkOTM1YWIxYzkyNzAxYjNiYTA5ZDRhM2E2MzNjNTJmZjE2NGYxMWY3OTg1YzlmZjY3ZThmZDFlYzA2NDU3MTdkMjBiNDE4YmM5M2YzYzVkNCIsInAiOiJmZjYwMDQ4M2RiNmFiZmM1YjQ1ZWFiNzg1OTRiMzUzM2Q1NTBkOWYxYmYyYTk5MmE3YThkYWE2ZGMzNGY4MDQ1YWQ0ZTZlMGM0MjlkMzM0ZWVlYWFlZmQ3ZTIzZDQ4MTBiZTAwZTRjYzE0OTJjYmEzMjViYTgxZmYyZDVhNWIzMDVhOGQxN2ViM2JmNGEwNmEzNDlkMzkyZTAwZDMyOTc0NGE1MTc5MzgwMzQ0ZTgyYTE4YzQ3OTMzNDM4Zjg5MWUyMmFlZWY4MTJkNjljOGY3NWUzMjZjYjcwZWEwMDBjM2Y3NzZkZmRiZDYwNDYzOGMyZWY3MTdmYzI2ZDAyZTE3IiwicSI6ImUyMWUwNGY5MTFkMWVkNzk5MTAwOGVjYWFiM2JmNzc1OTg0MzA5YzMiLCJnIjoiYzUyYTRhMGZmM2I3ZTYxZmRmMTg2N2NlODQxMzgzNjlhNjE1NGY0YWZhOTI5NjZlM2M4MjdlMjVjZmE2Y2Y1MDhiOTBlNWRlNDE5ZTEzMzdlMDdhMmU5ZTJhM2NkNWRlYTcwNGQxNzVmOGViZjZhZjM5N2Q2OWUxMTBiOTZhZmIxN2M3YTAzMjU5MzI5ZTQ4MjliMGQwM2JiYzc4OTZiMTViNGFkZTUzZTEzMDg1OGNjMzRkOTYyNjlhYTg5MDQxZjQwOTEzNmM3MjQyYTM4ODk1YzlkNWJjY2FkNGYzODlhZjFkN2E0YmQxMzk4YmQwNzJkZmZhODk2MjMzMzk3YSJ9LCJwcmluY2lwYWwiOiIwMzgxOTgyYS0xZTgzLTI1NjYtNjgzZS05MDRmNDA0NGM1MGRAbXNpc2RuLWRldi5zdGFnZS5tb3phd3MubmV0IiwiaWF0IjoxNDA0NDY5NzgyODc3LCJleHAiOjE0MDQ0OTEzOTI4NzcsImlzcyI6Im1zaXNkbi1kZXYuc3RhZ2UubW96YXdzLm5ldCJ9."
 
 // === Helpers ===
 
 function addPermission(aAction) {
   let uri = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService)
               .newURI(ORIGIN, null, null);
+  let attrs = {appId: APP_ID};
   let _principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
                      .getService(Ci.nsIScriptSecurityManager)
-                     .getAppCodebasePrincipal(uri, APP_ID, false);
+                     .createCodebasePrincipal(uri, attrs);
   let pm = Cc["@mozilla.org/permissionmanager;1"]
              .getService(Ci.nsIPermissionManager);
   pm.addFromPrincipal(_principal, MOBILEID_PERM, aAction);
 }
 
 function removePermission() {
   let uri = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService)
               .newURI(ORIGIN, null, null);
+  let attrs = {appId: APP_ID};
   let _principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
                      .getService(Ci.nsIScriptSecurityManager)
-                     .getAppCodebasePrincipal(uri, APP_ID, false);
+                     .createCodebasePrincipal(uri, attrs);
   let pm = Cc["@mozilla.org/permissionmanager;1"]
              .getService(Ci.nsIPermissionManager);
   pm.removeFromPrincipal(_principal, MOBILEID_PERM);
 }
 
 // === Mocks ===
 
 let Mock = function(aOptions) {
--- a/testing/marionette/driver/marionette_driver/marionette.py
+++ b/testing/marionette/driver/marionette_driver/marionette.py
@@ -804,19 +804,20 @@ class Marionette(object):
                 return value;
                 """, script_args=[perm], sandbox='system')
 
         with self.using_context('chrome'):
             permission = self.execute_script("""
                 Components.utils.import("resource://gre/modules/Services.jsm");
                 let perm = arguments[0];
                 let secMan = Services.scriptSecurityManager;
-                let principal = secMan.getAppCodebasePrincipal(
+                let attrs = {appId: perm.appId, inBrowser: perm.isInBrowserElement};
+                let principal = secMan.createCodebasePrincipal(
                                 Services.io.newURI(perm.url, null, null),
-                                perm.appId, perm.isInBrowserElement);
+                                attrs);
                 let testPerm = Services.perms.testPermissionFromPrincipal(
                                principal, perm.type);
                 return testPerm;
                 """, script_args=[value])
         return permission
 
     def push_permission(self, perm, allow):
         with self.using_context('content'):
@@ -865,18 +866,19 @@ class Marionette(object):
                     """, sandbox='system')
             return
 
         with self.using_context('chrome'):
             self.execute_script("""
                 Components.utils.import("resource://gre/modules/Services.jsm");
                 let perm = arguments[0];
                 let secMan = Services.scriptSecurityManager;
-                let principal = secMan.getAppCodebasePrincipal(Services.io.newURI(perm.url, null, null),
-                                perm.appId, perm.isInBrowserElement);
+                let attrs = {appId: perm.appId, inBrowser: perm.isInBrowserElement};
+                let principal = secMan.createCodebasePrincipal(Services.io.newURI(perm.url, null, null),
+                                                               attrs);
                 Services.perms.addFromPrincipal(principal, perm.type, perm.action);
                 return true;
                 """, script_args=[perm])
 
         with self.using_context('content'):
             self.execute_async_script("""
                 waitFor(marionetteScriptFinished, function() {
                   return window.wrappedJSObject.permChanged;
--- a/testing/mochitest/tests/Harness_sanity/test_bug816847.html
+++ b/testing/mochitest/tests/Harness_sanity/test_bug816847.html
@@ -31,22 +31,17 @@ const appsSvc = Cc["@mozilla.org/AppsSer
 const manifest = "https://example.com/manifest.webapp";
 const allow = Ci.nsIPermissionManager.ALLOW_ACTION;
 const unknown = Ci.nsIPermissionManager.UNKNOWN_ACTION;
 const perms = ['network-events', 'geolocation', 'camera', 'alarms']
 
 function createPrincipal(aURI, aIsApp, aIsInBrowserElement) {
   if(aIsApp) {
     var app = appsSvc.getAppByManifestURL(aURI);
-    var localId = appsSvc.getAppLocalIdByManifestURL(aURI);
-    var uri = Services.io.newURI(app.origin, null, null);
-    return Services.scriptSecurityManager
-                   .getAppCodebasePrincipal(uri,
-                                            localId,
-                                            aIsInBrowserElement);
+    return app.principal;
   }
 
   var uri = Services.io.newURI(aURI, null, null);
   return Services.scriptSecurityManager
                  .getNoAppCodebasePrincipal(uri);
 }
 
 // test addPermission and removePermission
--- a/testing/specialpowers/content/SpecialPowersObserverAPI.js
+++ b/testing/specialpowers/content/SpecialPowersObserverAPI.js
@@ -309,17 +309,19 @@ SpecialPowersObserverAPI.prototype = {
         }
         return undefined;	// See comment at the beginning of this function.
       }
 
       case "SPPermissionManager": {
         let msg = aMessage.json;
 
         let secMan = Services.scriptSecurityManager;
-        let principal = secMan.getAppCodebasePrincipal(this._getURI(msg.url), msg.appId, msg.isInBrowserElement);
+        // TODO: Bug 1196665 - Add originAttributes into SpecialPowers
+        let attrs = {appId: msg.appId, inBrowser: msg.isInBrowserElement};
+        let principal = secMan.createCodebasePrincipal(this._getURI(msg.url), attrs);
 
         switch (msg.op) {
           case "add":
             Services.perms.addFromPrincipal(principal, msg.type, msg.permission, msg.expireType, msg.expireTime);
             break;
           case "remove":
             Services.perms.removeFromPrincipal(principal, msg.type);
             break;
--- a/uriloader/prefetch/OfflineCacheUpdateParent.cpp
+++ b/uriloader/prefetch/OfflineCacheUpdateParent.cpp
@@ -1,25 +1,27 @@
 /* -*- mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "OfflineCacheUpdateParent.h"
 
+#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/TabParent.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/unused.h"
 #include "nsOfflineCacheUpdate.h"
 #include "nsIApplicationCache.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsNetUtil.h"
-#include "nsContentUtils.h"
 
 using namespace mozilla::ipc;
+using mozilla::BasePrincipal;
+using mozilla::OriginAttributes;
 using mozilla::dom::TabParent;
 
 //
 // To enable logging (see prlog.h for full details):
 //
 //    set NSPR_LOG_MODULES=nsOfflineCacheUpdate:5
 //    set NSPR_LOG_FILE=offlineupdate.log
 //
@@ -86,20 +88,20 @@ OfflineCacheUpdateParent::Schedule(const
 
     nsOfflineCacheUpdateService* service =
         nsOfflineCacheUpdateService::EnsureService();
     if (!service)
         return NS_ERROR_FAILURE;
 
     bool offlinePermissionAllowed = false;
 
-    nsCOMPtr<nsIPrincipal> principal;
-    nsContentUtils::GetSecurityManager()->
-        GetAppCodebasePrincipal(manifestURI, mAppId, mIsInBrowserElement,
-                                getter_AddRefs(principal));
+    // TODO: Bug 1165466 - use OriginAttributes
+    OriginAttributes attrs(mAppId, mIsInBrowserElement);
+    nsCOMPtr<nsIPrincipal> principal =
+      BasePrincipal::CreateCodebasePrincipal(manifestURI, attrs);
 
     nsresult rv = service->OfflineAppAllowed(
         principal, nullptr, &offlinePermissionAllowed);
     NS_ENSURE_SUCCESS(rv, rv);
 
     if (!offlinePermissionAllowed)
         return NS_ERROR_DOM_SECURITY_ERR;