Backed out 3 changesets (bug 1165272) for b2g sanity blocker.
authorBobby Holley <bobbyholley@gmail.com>
Tue, 25 Aug 2015 11:05:43 -0700
changeset 293605 d09ccffbeb17c033e9a235cd508a6352f48fd14c
parent 293604 7d70643818b525e0b4bb5c2e9133c04a0c4f33c8
child 293606 c46370eea81a9860ae77d1f0c7776c24e816138e
child 293613 55f940d8b0f287f43fa87d0cfbd567227991b84f
push id962
push userjlund@mozilla.com
push dateFri, 04 Dec 2015 23:28:54 +0000
treeherdermozilla-release@23a2d286e80f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1165272
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 3 changesets (bug 1165272) for b2g sanity blocker.
addon-sdk/source/lib/sdk/indexed-db.js
b2g/components/AboutServiceWorkers.jsm
b2g/components/ContentPermissionPrompt.js
browser/base/content/aboutSocialError.xhtml
browser/base/content/test/general/browser_offlineQuotaNotification.js
browser/base/content/test/general/browser_sanitizeDialog.js
browser/base/content/test/general/test_offlineNotification.html
browser/base/content/test/general/test_offline_gzip.html
browser/base/content/test/newtab/head.js
browser/components/feeds/FeedConverter.js
browser/components/preferences/aboutPermissions.js
browser/components/preferences/permissions.js
browser/components/preferences/tests/browser_permissions.js
browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
browser/extensions/pdfjs/content/PdfStreamConverter.jsm
browser/extensions/shumway/chrome/SpecialStorage.jsm
browser/modules/Feeds.jsm
caps/nsIScriptSecurityManager.idl
docshell/base/nsDocShell.cpp
dom/apps/AppsUtils.jsm
dom/apps/OfflineCacheInstaller.jsm
dom/apps/ScriptPreloader.jsm
dom/apps/Webapps.jsm
dom/base/nsGlobalWindow.cpp
dom/browser-element/BrowserElementParent.js
dom/browser-element/mochitest/browserElement_Auth.js
dom/cache/test/mochitest/test_chrome_constructor.html
dom/datastore/DataStoreService.cpp
dom/indexedDB/ActorsParent.cpp
dom/indexedDB/test/head.js
dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
dom/indexedDB/test/unit/test_idle_maintenance.js
dom/indexedDB/test/unit/test_metadataRestore.js
dom/indexedDB/test/unit/test_open_for_principal.js
dom/indexedDB/test/unit/test_temporary_storage.js
dom/ipc/AppProcessChecker.cpp
dom/ipc/TabChild.cpp
dom/payment/Payment.jsm
dom/permission/PermissionSettings.js
dom/permission/PermissionSettings.jsm
dom/quota/QuotaManager.cpp
dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
extensions/cookie/nsPermission.cpp
extensions/cookie/nsPermissionManager.cpp
extensions/cookie/test/test_app_uninstall_permissions.html
extensions/cookie/test/unit/test_permmanager_cleardata.js
extensions/cookie/test/unit/test_permmanager_defaults.js
extensions/cookie/test/unit/test_permmanager_expiration.js
extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
extensions/cookie/test/unit/test_permmanager_idn.js
extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
extensions/cookie/test/unit/test_permmanager_local_files.js
extensions/cookie/test/unit/test_permmanager_matches.js
extensions/cookie/test/unit/test_permmanager_matchesuri.js
extensions/cookie/test/unit/test_permmanager_notifications.js
extensions/cookie/test/unit/test_permmanager_removesince.js
extensions/cookie/test/unit/test_permmanager_subdomains.js
extensions/cookie/test/unit_ipc/test_child.js
extensions/cookie/test/unit_ipc/test_parent.js
gfx/thebes/gfxSVGGlyphs.cpp
ipc/glue/BackgroundUtils.cpp
js/xpconnect/src/Sandbox.cpp
netwerk/cookie/CookieServiceParent.cpp
netwerk/protocol/http/HttpChannelParent.cpp
netwerk/test/unit/test_auth_dialog_permission.js
netwerk/test/unit/test_auth_jar.js
netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
netwerk/test/unit/test_fallback_no-cache-entry_passing.js
netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
netwerk/test/unit/test_fallback_request-error_canceled.js
netwerk/test/unit/test_fallback_request-error_passing.js
netwerk/test/unit/test_fallback_response-error_canceled.js
netwerk/test/unit/test_fallback_response-error_passing.js
netwerk/test/unit/test_offlinecache_custom-directory.js
netwerk/test/unit/test_permmgr.js
services/fxaccounts/tests/xpcshell/test_manager.js
services/mobileid/MobileIdentityManager.jsm
services/mobileid/tests/xpcshell/head.js
services/sync/Weave.js
testing/marionette/driver/marionette_driver/marionette.py
testing/mochitest/tests/Harness_sanity/test_bug816847.html
testing/specialpowers/content/SpecialPowersObserverAPI.js
toolkit/components/downloads/ApplicationReputation.cpp
toolkit/components/downloads/test/unit/test_app_rep.js
toolkit/components/places/BookmarkJSONUtils.jsm
toolkit/components/places/nsLivemarkService.js
toolkit/components/social/SocialService.jsm
toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
toolkit/components/url-classifier/tests/unit/test_dbservice.js
toolkit/components/url-classifier/tests/unit/test_digest256.js
toolkit/devtools/server/actors/storage.js
toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
toolkit/modules/NewTabUtils.jsm
toolkit/modules/PermissionsUtils.jsm
toolkit/webapps/NativeApp.jsm
uriloader/prefetch/OfflineCacheUpdateParent.cpp
uriloader/prefetch/nsOfflineCacheUpdateService.cpp
--- a/addon-sdk/source/lib/sdk/indexed-db.js
+++ b/addon-sdk/source/lib/sdk/indexed-db.js
@@ -27,19 +27,19 @@ let sanitizeId = function(id){
 
 const PSEUDOURI = "indexeddb://" + sanitizeId(id) // https://bugzilla.mozilla.org/show_bug.cgi?id=779197
 
 // Use XPCOM because `require("./url").URL` doesn't expose the raw uri object.
 let principaluri = Cc["@mozilla.org/network/io-service;1"].
               getService(Ci.nsIIOService).
               newURI(PSEUDOURI, null, null);
 
-let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-            .getService(Ci.nsIScriptSecurityManager);
-let principal = ssm.createCodebasePrincipal(principaluri, {});
+let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
+	               getService(Ci.nsIScriptSecurityManager).
+	               getCodebasePrincipal(principaluri);
 
 function toArray(args) {
   return Array.prototype.slice.call(args);
 }
 
 function openInternal(args, forPrincipal, deleting) {
   if (forPrincipal) {
     args = toArray(args);
--- a/b2g/components/AboutServiceWorkers.jsm
+++ b/b2g/components/AboutServiceWorkers.jsm
@@ -149,20 +149,21 @@ this.AboutServiceWorkers = {
             !message.principal.origin ||
             !message.principal.originAttributes ||
             !message.principal.originAttributes.appId ||
             (message.principal.originAttributes.inBrowser == null)) {
           self.sendError(message.id, "MissingPrincipal");
           return;
         }
 
-        let principal = Services.scriptSecurityManager.createCodebasePrincipal(
-          // TODO: Bug 1196652. use originNoSuffix
+        let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
           Services.io.newURI(message.principal.origin, null, null),
-          message.principal.originAttributes);
+          message.principal.originAttributes.appId,
+          message.principal.originAttributes.inBrowser
+        );
 
         if (!message.scope) {
           self.sendError(message.id, "MissingScope");
           return;
         }
 
         let serviceWorkerUnregisterCallback = {
           unregisterSucceeded: function() {
--- a/b2g/components/ContentPermissionPrompt.js
+++ b/b2g/components/ContentPermissionPrompt.js
@@ -200,19 +200,19 @@ ContentPermissionPrompt.prototype = {
     let appsService = Cc["@mozilla.org/AppsService;1"]
                         .getService(Ci.nsIAppsService);
     let app = appsService.getAppByLocalId(request.principal.appId);
 
     // Check each permission if it's denied by permission manager with app's
     // URL.
     let notDenyAppPrincipal = function(type) {
       let url = Services.io.newURI(app.origin, null, null);
-      let principal =
-        secMan.createCodebasePrincipal(url,
-                                       {appId: request.principal.appId});
+      let principal = secMan.getAppCodebasePrincipal(url,
+                                                     request.principal.appId,
+                                                     /*mozbrowser*/false);
       let result = Services.perms.testExactPermissionFromPrincipal(principal,
                                                                    type.access);
 
       if (result == Ci.nsIPermissionManager.ALLOW_ACTION ||
           result == Ci.nsIPermissionManager.PROMPT_ACTION) {
         type.deny = false;
       }
       return !type.deny;
--- a/browser/base/content/aboutSocialError.xhtml
+++ b/browser/base/content/aboutSocialError.xhtml
@@ -50,18 +50,17 @@
       let mode = searchParams.get("mode");
       config.origin = searchParams.get("origin");
       let encodedURL = searchParams.get("url");
       let url = decodeURIComponent(encodedURL);
       // directory does not have origin set, in that case use the url origin for
       // the error message.
       if (!config.origin) {
         let URI = Services.io.newURI(url, null, null);
-        config.origin =
-          Services.scriptSecurityManager.createCodebasePrincipal(URI, {}).origin;
+        config.origin = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI).origin;
       }
 
       switch (mode) {
         case "compactInfo":
           document.getElementById("btnTryAgain").style.display = 'none';
           break;
         case "tryAgainOnly":
           //intentional fall-through
--- a/browser/base/content/test/general/browser_offlineQuotaNotification.js
+++ b/browser/base/content/test/general/browser_offlineQuotaNotification.js
@@ -6,17 +6,17 @@
 // Test offline quota warnings - must be run as a mochitest-browser test or
 // else the test runner gets in the way of notifications due to bug 857897.
 
 const URL = "http://mochi.test:8888/browser/browser/base/content/test/general/offlineQuotaNotification.html";
 
 registerCleanupFunction(function() {
   // Clean up after ourself
   let uri = Services.io.newURI(URL, null, null);
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+  var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
   Services.perms.removeFromPrincipal(principal, "offline-app");
   Services.prefs.clearUserPref("offline-apps.quota.warn");
   Services.prefs.clearUserPref("offline-apps.allow_by_default");
 });
 
 // Check that the "preferences" UI is opened and showing which websites have
 // offline storage permissions - currently this is the "network" tab in the
 // "advanced" pane.
--- a/browser/base/content/test/general/browser_sanitizeDialog.js
+++ b/browser/base/content/test/general/browser_sanitizeDialog.js
@@ -559,17 +559,17 @@ var gAllTests = [
     var URL = "http://www.example.com";
 
     var ios = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService);
     var URI = ios.newURI(URL, null, null);
 
     var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
              .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.createCodebasePrincipal(URI, {});
+    var principal = sm.getNoAppCodebasePrincipal(URI);
 
     // Give www.example.com privileges to store offline data
     var pm = Cc["@mozilla.org/permissionmanager;1"]
              .getService(Ci.nsIPermissionManager);
     pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
     pm.addFromPrincipal(principal, "offline-app", Ci.nsIOfflineCacheUpdateService.ALLOW_NO_WARN);
 
     // Store something to the offline cache
@@ -629,17 +629,17 @@ var gAllTests = [
     var URL = "http://www.example.com";
 
     var ios = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService);
     var URI = ios.newURI(URL, null, null);
 
     var sm = Cc["@mozilla.org/scriptsecuritymanager;1"]
              .getService(Ci.nsIScriptSecurityManager);
-    var principal = sm.createCodebasePrincipal(URI, {});
+    var principal = sm.getNoAppCodebasePrincipal(URI);
 
     // Open the dialog
     let wh = new WindowHelper();
     wh.onload = function () {
       this.selectDuration(Sanitizer.TIMESPAN_EVERYTHING);
       // Show details
       this.toggleDetails();
       // Clear only offlineApps
--- a/browser/base/content/test/general/test_offlineNotification.html
+++ b/browser/base/content/test/general/test_offlineNotification.html
@@ -38,20 +38,22 @@ window.addEventListener("message", funct
       // Clean up after ourself
       var pm = Cc["@mozilla.org/permissionmanager;1"].
                getService(SpecialPowers.Ci.nsIPermissionManager);
       var ioService = Cc["@mozilla.org/network/io-service;1"]
                         .getService(SpecialPowers.Ci.nsIIOService);
       var uri1 = ioService.newURI(frames.testFrame.location, null, null);
       var uri2 = ioService.newURI(frames.testFrame3.location, null, null);
 
-      var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                  .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
-      var principal1 = ssm.createCodebasePrincipal(uri1, {});
-      var principal2 = ssm.createCodebasePrincipal(uri2, {});
+      var principal1 = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
+                        .getNoAppCodebasePrincipal(uri1);
+      var principal2 = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                        .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
+                        .getNoAppCodebasePrincipal(uri2);
 
       pm.removeFromPrincipal(principal1, "offline-app");
       pm.removeFromPrincipal(principal2, "offline-app");
 
       offlineByDefault.reset();
 
       SimpleTest.finish();
     }
--- a/browser/base/content/test/general/test_offline_gzip.html
+++ b/browser/base/content/test/general/test_offline_gzip.html
@@ -34,19 +34,19 @@ SimpleTest.waitForExplicitFinish();
 function finishTest() {
   // Clean up after ourselves.
   var Cc = SpecialPowers.Cc;
   var pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(SpecialPowers.Ci.nsIPermissionManager);
 
   var uri = Cc["@mozilla.org/network/io-service;1"].getService(SpecialPowers.Ci.nsIIOService)
               .newURI(window.frames[0].location, null, null);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                   .getService(SpecialPowers.Ci.nsIScriptSecurityManager)
+                   .getNoAppCodebasePrincipal(uri);
 
   pm.removeFromPrincipal(principal, "offline-app");
 
   window.removeEventListener("message", handleMessageEvents, false);
 
   offlineByDefault.reset();
   SimpleTest.finish();  
 }
--- a/browser/base/content/test/newtab/head.js
+++ b/browser/base/content/test/newtab/head.js
@@ -13,17 +13,17 @@ Cu.import("resource:///modules/Directory
 Cu.import("resource://testing-common/PlacesTestUtils.jsm", tmp);
 Cc["@mozilla.org/moz/jssubscript-loader;1"]
   .getService(Ci.mozIJSSubScriptLoader)
   .loadSubScript("chrome://browser/content/sanitize.js", tmp);
 Cu.import("resource://gre/modules/Timer.jsm", tmp);
 let {Promise, NewTabUtils, Sanitizer, clearTimeout, setTimeout, DirectoryLinksProvider, PlacesTestUtils} = tmp;
 
 let uri = Services.io.newURI("about:newtab", null, null);
-let principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
 
 let isMac = ("nsILocalFileMac" in Ci);
 let isLinux = ("@mozilla.org/gnome-gconf-service;1" in Cc);
 let isWindows = ("@mozilla.org/windows-registry-key;1" in Cc);
 let gWindow = window;
 
 // Default to dummy/empty directory links
 let gDirectorySource = 'data:application/json,{"test":1}';
--- a/browser/components/feeds/FeedConverter.js
+++ b/browser/components/feeds/FeedConverter.js
@@ -249,17 +249,17 @@ FeedConverter.prototype = {
         // page can access it.
         feedService.addFeedResult(result);
 
         // Now load the actual XUL document.
         var aboutFeedsURI = ios.newURI("about:feeds", null, null);
         chromeChannel = ios.newChannelFromURIWithLoadInfo(aboutFeedsURI, loadInfo);
         chromeChannel.originalURI = result.uri;
         chromeChannel.owner =
-          Services.scriptSecurityManager.createCodebasePrincipal(aboutFeedsURI, {});
+          Services.scriptSecurityManager.getNoAppCodebasePrincipal(aboutFeedsURI);
       } else {
         chromeChannel = ios.newChannelFromURIWithLoadInfo(result.uri, loadInfo);
       }
 
       chromeChannel.loadGroup = this._request.loadGroup;
       chromeChannel.asyncOpen(this._listener, null);
     }
     finally {
--- a/browser/components/preferences/aboutPermissions.js
+++ b/browser/components/preferences/aboutPermissions.js
@@ -492,17 +492,17 @@ let AboutPermissions = {
     gSitesStmt.params.limit = this.PLACES_SITES_LIMIT;
     gSitesStmt.executeAsync({
       handleResult: function(aResults) {
         AboutPermissions.startSitesListBatch();
         let row;
         while (row = aResults.getNextRow()) {
           let spec = row.getResultByName("url");
           let uri = NetUtil.newURI(spec);
-          let principal = gSecMan.createCodebasePrincipal(uri, {});
+          let principal = gSecMan.getNoAppCodebasePrincipal(uri);
 
           AboutPermissions.addPrincipal(principal);
         }
         AboutPermissions.endSitesListBatch();
       },
       handleError: function(aError) {
         Cu.reportError("AboutPermissions: " + aError);
       },
@@ -543,33 +543,33 @@ let AboutPermissions = {
     let logins = Services.logins.getAllLogins();
     logins.forEach(function(aLogin) {
       if (itemCnt % this.LIST_BUILD_CHUNK == 0) {
         yield true;
       }
       try {
         // aLogin.hostname is a string in origin URL format (e.g. "http://foo.com")
         let uri = NetUtil.newURI(aLogin.hostname);
-        let principal = gSecMan.createCodebasePrincipal(uri, {});
+        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
         this.addPrincipal(principal);
       } catch (e) {
         // newURI will throw for add-ons logins stored in chrome:// URIs
       }
       itemCnt++;
     }, this);
 
     let disabledHosts = Services.logins.getAllDisabledHosts();
     disabledHosts.forEach(function(aHostname) {
       if (itemCnt % this.LIST_BUILD_CHUNK == 0) {
         yield true;
       }
       try {
         // aHostname is a string in origin URL format (e.g. "http://foo.com")
         let uri = NetUtil.newURI(aHostname);
-        let principal = gSecMan.createCodebasePrincipal(uri, {});
+        let principal = gSecMan.getNoAppCodebasePrincipal(uri);
         this.addPrincipal(principal);
       } catch (e) {
         // newURI will throw for add-ons logins stored in chrome:// URIs
       }
       itemCnt++;
     }, this);
 
     let enumerator = Services.perms.enumerator;
--- a/browser/components/preferences/permissions.js
+++ b/browser/components/preferences/permissions.js
@@ -90,22 +90,22 @@ var gPermissionManager = {
       // help catch cases where the URI parser parsed something like
       // `localhost:8080` as having the scheme `localhost`, rather than being
       // an invalid URI. A canonical origin representation is required by the
       // permission manager for storage, so this won't prevent any valid
       // permissions from being entered by the user.
       let uri;
       try {
         uri = Services.io.newURI(input_url, null, null);
-        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
         // If we have ended up with an unknown scheme, the following will throw.
         principal.origin;
       } catch(ex) {
         uri = Services.io.newURI("http://" + input_url, null, null);
-        principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+        principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
         // If we have ended up with an unknown scheme, the following will throw.
         principal.origin;
       }
     } catch(ex) {
       var message = this._bundle.getString("invalidURI");
       var title = this._bundle.getString("invalidURITitle");
       Services.prompt.alert(window, title, message);
       return;
--- a/browser/components/preferences/tests/browser_permissions.js
+++ b/browser/components/preferences/tests/browser_permissions.js
@@ -3,20 +3,18 @@
 
 Components.utils.import("resource://gre/modules/NetUtil.jsm");
 
 const ABOUT_PERMISSIONS_SPEC = "about:permissions";
 
 const TEST_URI_1 = NetUtil.newURI("http://mozilla.com/");
 const TEST_URI_2 = NetUtil.newURI("http://mozilla.org/");
 
-const TEST_PRINCIPAL_1 =
-  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_1, {});
-const TEST_PRINCIPAL_2 =
-  Services.scriptSecurityManager.createCodebasePrincipal(TEST_URI_2, {});
+const TEST_PRINCIPAL_1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_1);
+const TEST_PRINCIPAL_2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_URI_2);
 
 // values from DefaultPermissions object
 const PERM_UNKNOWN = 0;
 const PERM_ALLOW = 1;
 const PERM_DENY = 2;
 // cookie specific permissions
 const PERM_FIRST_PARTY_ONLY = 9;
 
--- a/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
+++ b/browser/devtools/styleinspector/test/browser_styleinspector_csslogic-content-stylesheets.js
@@ -10,19 +10,19 @@
 // toolkit/devtools/server/tests/mochitest/test_css-logic-...something...html
 // test
 
 const TEST_URI_HTML = TEST_URL_ROOT + "doc_content_stylesheet.html";
 const TEST_URI_XUL = TEST_URL_ROOT + "doc_content_stylesheet.xul";
 const XUL_URI = Cc["@mozilla.org/network/io-service;1"]
                 .getService(Ci.nsIIOService)
                 .newURI(TEST_URI_XUL, null, null);
-let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                            .getService(Ci.nsIScriptSecurityManager);
-const XUL_PRINCIPAL = ssm.createCodebasePrincipal(XUL_URI, {});
+const XUL_PRINCIPAL = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                        .getService(Ci.nsIScriptSecurityManager)
+                        .getNoAppCodebasePrincipal(XUL_URI);
 
 add_task(function*() {
   info("Checking stylesheets on HTML document");
   yield addTab(TEST_URI_HTML);
   let target = getNode("#target");
 
   let {inspector} = yield openRuleView();
   yield selectNode("#target", inspector);
--- a/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
+++ b/browser/extensions/pdfjs/content/PdfStreamConverter.jsm
@@ -990,31 +990,24 @@ PdfStreamConverter.prototype = {
     };
 
     // Keep the URL the same so the browser sees it as the same.
     channel.originalURI = aRequest.URI;
     channel.loadGroup = aRequest.loadGroup;
 
     // We can use resource principal when data is fetched by the chrome
     // e.g. useful for NoScript
-    var ssm = Cc['@mozilla.org/scriptsecuritymanager;1']
-                .getService(Ci.nsIScriptSecurityManager);
+    var securityManager = Cc['@mozilla.org/scriptsecuritymanager;1']
+                          .getService(Ci.nsIScriptSecurityManager);
     var uri = NetUtil.newURI(PDF_VIEWER_WEB_PAGE, null, null);
     // FF16 and below had getCodebasePrincipal, it was replaced by
     // getNoAppCodebasePrincipal (bug 758258).
-    // FF 43 added createCodebasePrincipal to replace getNoAppCodebasePrincipal
-    // (bug 1165272).
-    var resourcePrincipal
-    if ('createCodebasePrincipal' in ssm) {
-      resourcePrincipal = ssm.createCodebasePrincipal(uri, {});
-    } else if ('getNoAppCodebasePrincipal' in ssm) {
-      resourcePrincipal = ssm.getNoAppCodebasePrincipal(uri)
-    } else {
-      resourcePrincipal = ssm.getCodebasePrincipal(uri);
-    }
+    var resourcePrincipal = 'getNoAppCodebasePrincipal' in securityManager ?
+                            securityManager.getNoAppCodebasePrincipal(uri) :
+                            securityManager.getCodebasePrincipal(uri);
     aRequest.owner = resourcePrincipal;
     channel.asyncOpen(proxy, aContext);
   },
 
   // nsIRequestObserver::onStopRequest
   onStopRequest: function(aRequest, aContext, aStatusCode) {
     if (!this.dataListener) {
       // Do nothing
--- a/browser/extensions/shumway/chrome/SpecialStorage.jsm
+++ b/browser/extensions/shumway/chrome/SpecialStorage.jsm
@@ -17,19 +17,19 @@
 var EXPORTED_SYMBOLS = ['SpecialStorageUtils'];
 
 Components.utils.import('resource://gre/modules/Services.jsm');
 
 var SpecialStorageUtils = {
   createWrappedSpecialStorage: function (sandbox, swfUrl, privateBrowsing) {
     // Creating internal localStorage object based on url and privateBrowsing setting.
     var uri = Services.io.newURI(swfUrl, null, null);
-    var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                                .getService(Components.interfaces.nsIScriptSecurityManager);
-    var principal = ssm.createCodebasePrincipal(uri, {});
+    var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                              .getService(Components.interfaces.nsIScriptSecurityManager)
+                              .getNoAppCodebasePrincipal(uri);
     var dsm = Components.classes["@mozilla.org/dom/localStorage-manager;1"]
                                 .getService(Components.interfaces.nsIDOMStorageManager);
     var storage = dsm.createStorage(null, principal, privateBrowsing);
 
     // We will return object created in the sandbox/content, with some exposed
     // properties/methods, so we can send data between wrapped object and
     // and sandbox/content.
     var wrapper = Components.utils.cloneInto({
--- a/browser/modules/Feeds.jsm
+++ b/browser/modules/Feeds.jsm
@@ -61,18 +61,17 @@ this.Feeds = {
     if (!aIsFeed) {
       aIsFeed = (type == "application/rss+xml" ||
                  type == "application/atom+xml");
     }
 
     if (aIsFeed) {
       // re-create the principal as it may be a CPOW.
       let principalURI = BrowserUtils.makeURIFromCPOW(aPrincipal.URI);
-      let principalToCheck =
-        Services.scriptSecurityManager.createCodebasePrincipal(principalURI, {});
+      let principalToCheck = Services.scriptSecurityManager.getNoAppCodebasePrincipal(principalURI);
       try {
         BrowserUtils.urlSecurityCheck(aLink.href, principalToCheck,
                                       Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
         return type || "application/rss+xml";
       }
       catch(ex) {
       }
     }
--- a/caps/nsIScriptSecurityManager.idl
+++ b/caps/nsIScriptSecurityManager.idl
@@ -21,17 +21,17 @@ class DomainPolicyClone;
 }
 }
 %}
 
 [ptr] native JSContextPtr(JSContext);
 [ptr] native JSObjectPtr(JSObject);
 [ptr] native DomainPolicyClonePtr(mozilla::dom::DomainPolicyClone);
 
-[scriptable, uuid(6e8a4d1e-d9c6-4d86-bf53-d73f58f36148)]
+[scriptable, uuid(9a8f0b70-6b9f-4e19-8885-7cfe24f4a42d)]
 interface nsIScriptSecurityManager : nsISupports
 {
     /**
      * For each of these hooks returning NS_OK means 'let the action continue'.
      * Returning an error code means 'veto the action'. XPConnect will return
      * false to the js engine if the action is vetoed. The implementor of this
      * interface is responsible for setting a JS exception into the JSContext
      * if that is appropriate.
@@ -145,22 +145,20 @@ interface nsIScriptSecurityManager : nsI
      */
     nsIPrincipal getSimpleCodebasePrincipal(in nsIURI aURI);
 
     /**
      * Returns a principal that has the given information.
      * @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID.
      * @param inMozBrowser is true if the principal has to be considered as
      * inside a mozbrowser frame.
-     *
-     * @deprecated use createCodebasePrincipal instead.
      */
-    [deprecated] nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
-                                                      in unsigned long appId,
-                                                      in boolean inMozBrowser);
+    nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
+                                         in unsigned long appId,
+                                         in boolean inMozBrowser);
 
     /**
      * Returns a principal that has the appId and inMozBrowser of the load
      * context.
      * @param loadContext to get appId/inMozBrowser from.
      */
     nsIPrincipal getLoadContextCodebasePrincipal(in nsIURI uri,
                                                  in nsILoadContext loadContext);
@@ -172,20 +170,18 @@ interface nsIScriptSecurityManager : nsI
      */
     nsIPrincipal getDocShellCodebasePrincipal(in nsIURI uri,
                                               in nsIDocShell docShell);
 
     /**
      * Returns a principal with that has the same origin as uri and is not part
      * of an appliction.
      * The returned principal will have appId = NO_APP_ID.
-     *
-     * @deprecated use createCodebasePrincipal instead.
      */
-    [deprecated] nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
+    nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
 
     /**
      * Legacy method for getting a principal with no origin attributes.
      *
      * @deprecated use createCodebasePrincipal instead.
      */
     [deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri);
 
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -6,17 +6,16 @@
 
 #include "nsDocShell.h"
 
 #include <algorithm>
 
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/AutoRestore.h"
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/Casting.h"
 #include "mozilla/dom/ContentChild.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/dom/TabChild.h"
 #include "mozilla/dom/ProfileTimelineMarkerBinding.h"
 #include "mozilla/dom/ScreenOrientation.h"
 #include "mozilla/dom/ToJSValue.h"
 #include "mozilla/dom/workers/ServiceWorkerManager.h"
@@ -9356,31 +9355,32 @@ nsDocShell::JustStartedNetworkLoad()
   return mDocumentRequest && mDocumentRequest != GetCurrentDocChannel();
 }
 
 nsresult
 nsDocShell::CreatePrincipalFromReferrer(nsIURI* aReferrer,
                                         nsIPrincipal** aResult)
 {
   nsresult rv;
+  nsCOMPtr<nsIScriptSecurityManager> secMan =
+    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
 
   uint32_t appId;
   rv = GetAppId(&appId);
   NS_ENSURE_SUCCESS(rv, rv);
   bool isInBrowserElement;
   rv = GetIsInBrowserElement(&isInBrowserElement);
   NS_ENSURE_SUCCESS(rv, rv);
-
-  // TODO: Bug 1165466 - Pass mOriginAttributes directly.
-  OriginAttributes attrs(appId, isInBrowserElement);
-  nsCOMPtr<nsIPrincipal> prin =
-    BasePrincipal::CreateCodebasePrincipal(aReferrer, attrs);
-  prin.forget(aResult);
-
-  return *aResult ? NS_OK : NS_ERROR_FAILURE;
+  rv = secMan->GetAppCodebasePrincipal(aReferrer,
+                                       appId,
+                                       isInBrowserElement,
+                                       aResult);
+  NS_ENSURE_SUCCESS(rv, rv);
+  return NS_OK;
 }
 
 NS_IMETHODIMP
 nsDocShell::InternalLoad(nsIURI* aURI,
                          nsIURI* aReferrer,
                          uint32_t aReferrerPolicy,
                          nsISupports* aOwner,
                          uint32_t aFlags,
--- a/dom/apps/AppsUtils.jsm
+++ b/dom/apps/AppsUtils.jsm
@@ -68,19 +68,21 @@ mozIApplication.prototype = {
   get principal() {
     if (this._principal) {
       return this._principal;
     }
 
     this._principal = null;
 
     try {
-      this._principal = Services.scriptSecurityManager.createCodebasePrincipal(
+      this._principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
         Services.io.newURI(this.origin, null, null),
-        {appId: this.localId});
+        this.localId,
+        false /* mozbrowser */
+      );
     } catch(e) {
       dump("Could not create app principal " + e + "\n");
     }
 
     return this._principal;
   },
 
   QueryInterface: function(aIID) {
--- a/dom/apps/OfflineCacheInstaller.jsm
+++ b/dom/apps/OfflineCacheInstaller.jsm
@@ -223,18 +223,18 @@ function installCache(app) {
   if (!cacheDir.exists())
     return;
 
   let cacheManifest = cacheDir.clone();
   cacheManifest.append('manifest.appcache');
   if (!cacheManifest.exists())
     return;
 
-  let principal =
-    Services.scriptSecurityManager.createCodebasePrincipal(app.origin, {appId: aApp.localId});
+  let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
+      app.origin, app.localId, false);
 
   // If the build has been correctly configured, this should not happen!
   // If we install the cache anyway, it won't be updateable. If we don't install
   // it, the application won't be useable offline.
   let metadataLoaded;
   if (!resourcesMetadata.exists()) {
     // Not debug, since this is something that should be logged always!
     dump("OfflineCacheInstaller: App " + app.appId + " does have an app cache" +
--- a/dom/apps/ScriptPreloader.jsm
+++ b/dom/apps/ScriptPreloader.jsm
@@ -35,17 +35,17 @@ this.ScriptPreloader = {
 
     if (aManifest.precompile &&
         Array.isArray(aManifest.precompile) &&
         aManifest.precompile.length > 0) {
       let origin = Services.io.newURI(aApp.origin, null, null);
       let toLoad = aManifest.precompile.length;
       let principal =
         Services.scriptSecurityManager
-                .createCodebasePrincipal(origin, {appId: aApp.localId});
+                .getAppCodebasePrincipal(origin, aApp.localId, false);
 
       aManifest.precompile.forEach((aPath) => {
         let uri = Services.io.newURI(aPath, null, origin);
         debug("Script to compile: " + uri.spec);
         try {
           Services.scriptloader.precompileScript(uri, principal,
             (aSubject, aTopic, aData) => {
               let uri = aSubject.QueryInterface(Ci.nsIURI);
--- a/dom/apps/Webapps.jsm
+++ b/dom/apps/Webapps.jsm
@@ -815,17 +815,18 @@ this.DOMApplicationRegistry = {
     if (!aManifest) {
       debug("updateDataStore: no manifest for " + aOrigin);
       return;
     }
 
     let uri = Services.io.newURI(aOrigin, null, null);
     let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
                    .getService(Ci.nsIScriptSecurityManager);
-    let principal = secMan.createCodebasePrincipal(uri, {appId: aId});
+    let principal = secMan.getAppCodebasePrincipal(uri, aId,
+                                                   /*mozbrowser*/ false);
     if (!dataStoreService.checkPermission(principal)) {
       return;
     }
 
     if ('datastores-owned' in aManifest) {
       for (let name in aManifest['datastores-owned']) {
         let readonly = "access" in aManifest['datastores-owned'][name]
                          ? aManifest['datastores-owned'][name].access == 'readonly'
@@ -3363,19 +3364,18 @@ this.DOMApplicationRegistry = {
     return true;
   },
 
   _getRequestChannel: function(aFullPackagePath, aIsLocalFileInstall, aOldApp,
                                aNewApp) {
     let requestChannel;
 
     let appURI = NetUtil.newURI(aNewApp.origin, null, null);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(appURI,
-                                                             {appId: aNewApp.localId});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(
+                      appURI, aNewApp.localId, false);
 
     if (aIsLocalFileInstall) {
       requestChannel = NetUtil.newChannel({
         uri: aFullPackagePath,
         loadingPrincipal: principal,
         contentPolicyType: Ci.nsIContentPolicy.TYPE_OTHER}
       ).QueryInterface(Ci.nsIFileChannel);
     } else {
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -90,16 +90,17 @@
 #include "nsIDOMElement.h"
 #include "nsIDOMEvent.h"
 #include "nsIDOMOfflineResourceList.h"
 #include "nsDOMString.h"
 #include "nsIEmbeddingSiteWindow.h"
 #include "nsThreadUtils.h"
 #include "nsILoadContext.h"
 #include "nsIPresShell.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsIScrollableFrame.h"
 #include "nsView.h"
 #include "nsViewManager.h"
 #include "nsISelectionController.h"
 #include "nsISelection.h"
 #include "nsIPrompt.h"
 #include "nsIPromptService.h"
 #include "nsIPromptFactory.h"
@@ -186,17 +187,16 @@
 #include "mozilla/dom/GamepadService.h"
 #endif
 
 #include "mozilla/dom/VRDevice.h"
 
 #include "nsRefreshDriver.h"
 
 #include "mozilla/AddonPathService.h"
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
 #include "nsLocation.h"
 #include "nsHTMLDocument.h"
 #include "nsWrapperCacheInlines.h"
 #include "mozilla/DOMEventTargetHelper.h"
 #include "prrng.h"
 #include "nsSandboxFlags.h"
@@ -251,18 +251,16 @@ static PRLogModuleInfo* gDOMLeakPRLog;
 #include <unistd.h> // for getpid()
 #endif
 
 static const char kStorageEnabled[] = "dom.storage.enabled";
 
 using namespace mozilla;
 using namespace mozilla::dom;
 using namespace mozilla::dom::ipc;
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using mozilla::TimeStamp;
 using mozilla::TimeDuration;
 using mozilla::dom::cache::CacheStorage;
 using mozilla::dom::indexedDB::IDBFactory;
 
 nsGlobalWindow::WindowByIdTable *nsGlobalWindow::sWindowsById = nullptr;
 bool nsGlobalWindow::sWarnedAboutWindowInternal = false;
 bool nsGlobalWindow::sIdleObserversAPIFuzzTimeDisabled = false;
@@ -8584,24 +8582,31 @@ nsGlobalWindow::PostMessageMozOuter(JSCo
       return;
     }
 
     if (NS_FAILED(originURI->SetUserPass(EmptyCString())) ||
         NS_FAILED(originURI->SetPath(EmptyCString()))) {
       return;
     }
 
+    nsCOMPtr<nsIScriptSecurityManager> ssm =
+      nsContentUtils::GetSecurityManager();
+    MOZ_ASSERT(ssm);
+
     nsCOMPtr<nsIPrincipal> principal = nsContentUtils::SubjectPrincipal();
     MOZ_ASSERT(principal);
 
-    OriginAttributes attrs = BasePrincipal::Cast(principal)->OriginAttributesRef();
+    uint32_t appId = principal->GetAppId();
+    bool isInBrowser = principal->GetIsInBrowserElement();
+
     // Create a nsIPrincipal inheriting the app/browser attributes from the
     // caller.
-    providedPrincipal = BasePrincipal::CreateCodebasePrincipal(originURI, attrs);
-    if (NS_WARN_IF(!providedPrincipal)) {
+    nsresult rv = ssm->GetAppCodebasePrincipal(originURI, appId, isInBrowser,
+                                             getter_AddRefs(providedPrincipal));
+    if (NS_WARN_IF(NS_FAILED(rv))) {
       return;
     }
   }
 
   // Create and asynchronously dispatch a runnable which will handle actual DOM
   // event creation and dispatch.
   nsRefPtr<PostMessageEvent> event =
     new PostMessageEvent(nsContentUtils::IsCallerChrome() || !callerInnerWin
--- a/dom/browser-element/BrowserElementParent.js
+++ b/dom/browser-element/BrowserElementParent.js
@@ -828,26 +828,24 @@ BrowserElementParent.prototype = {
     if (_options.referrer) {
       // newURI can throw on malformed URIs.
       try {
         referrer = Services.io.newURI(_options.referrer, null, null);
       }
       catch(e) {
         debug('Malformed referrer -- ' + e);
       }
-
-      // TODO Bug 1165466: use originAttributes from nsILoadContext.
-      let attrs = {appId: this._frameLoader.loadContext.appId,
-                   inBrowser: this._frameLoader.loadContext.isInBrowserElement};
       // This simply returns null if there is no principal available
       // for the requested uri. This is an acceptable fallback when
       // calling newChannelFromURI2.
-      principal =
-        Services.scriptSecurityManager.createCodebasePrincipal(
-          referrer, attrs);
+      principal = 
+        Services.scriptSecurityManager.getAppCodebasePrincipal(
+          referrer, 
+          this._frameLoader.loadContext.appId, 
+          this._frameLoader.loadContext.isInBrowserElement);
     }
 
     debug('Using principal? ' + !!principal);
 
     let channel = 
       Services.io.newChannelFromURI2(url,
                                      null,       // No document. 
                                      principal,  // Loading principal
--- a/dom/browser-element/mochitest/browserElement_Auth.js
+++ b/dom/browser-element/mochitest/browserElement_Auth.js
@@ -153,27 +153,25 @@ function testAuthJarNoInterfere(e) {
   var secMan = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
   var ioService = SpecialPowers.Cc["@mozilla.org/network/io-service;1"]
                   .getService(SpecialPowers.Ci.nsIIOService);
   var uri = ioService.newURI("http://test/tests/dom/browser-element/mochitest/file_http_401_response.sjs", null, null);
 
   // Set a bunch of auth data that should not conflict with the correct auth data already
   // stored in the cache.
-  var attrs = {appId: 1};
-  var principal = secMan.createCodebasePrincipal(uri, attrs);
+  var principal = secMan.getAppCodebasePrincipal(uri, 1, false);
   authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                           'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                           '', 'httpuser', 'wrongpass', false, principal);
-  attrs = {appId: 1, inBrowser: true};
-  principal = secMan.createCodebasePrincipal(uri, attrs);
+  principal = secMan.getAppCodebasePrincipal(uri, 1, true);
   authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                           'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                           '', 'httpuser', 'wrongpass', false, principal);
-  principal = secMan.createCodebasePrincipal(uri, {});
+  principal = secMan.getAppCodebasePrincipal(uri, secMan.NO_APP_ID, false);
   authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                           'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                           '', 'httpuser', 'wrongpass', false, principal);
 
   // Will authenticate with correct password, prompt should not be
   // called again.
   iframe.addEventListener("mozbrowserusernameandpasswordrequired", testFail);
   iframe.addEventListener("mozbrowsertitlechange", function onTitleChange(e) {
@@ -193,17 +191,17 @@ function testAuthJarInterfere(e) {
     .getService(SpecialPowers.Ci.nsIHttpAuthManager);
   var secMan = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
   var ioService = SpecialPowers.Cc["@mozilla.org/network/io-service;1"]
                   .getService(SpecialPowers.Ci.nsIIOService);
   var uri = ioService.newURI("http://test/tests/dom/browser-element/mochitest/file_http_401_response.sjs", null, null);
 
   // Set some auth data that should overwrite the successful stored details.
-  var principal = secMan.createCodebasePrincipal(uri, {inBrowser: true});
+  var principal = secMan.getAppCodebasePrincipal(uri, secMan.NO_APP_ID, true);
   authMgr.setAuthIdentity('http', 'test', -1, 'basic', 'http_realm',
                           'tests/dom/browser-element/mochitest/file_http_401_response.sjs',
                           '', 'httpuser', 'wrongpass', false, principal);
 
   // Will authenticate with correct password, prompt should not be
   // called again.
   var gotusernamepasswordrequired = false;
   function onUserNameAndPasswordRequired() {
--- a/dom/cache/test/mochitest/test_chrome_constructor.html
+++ b/dom/cache/test/mochitest/test_chrome_constructor.html
@@ -15,17 +15,17 @@
 
   SpecialPowers.pushPrefEnv({
     "set": [["dom.caches.enabled", true],
             ["dom.caches.testing.enabled", true]],
   }, function() {
     // attach to a different origin's CacheStorage
     var url = 'http://example.com/';
     var uri = Services.io.newURI(url, null, null);
-    var principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+    var principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
     var storage = new CacheStorage('content', principal);
 
     // verify we can use the other origin's CacheStorage as normal
     var req = new Request('http://example.com/index.html');
     var res = new Response('hello world');
     var cache;
     storage.open('foo').then(function(c) {
       cache = c;
--- a/dom/datastore/DataStoreService.cpp
+++ b/dom/datastore/DataStoreService.cpp
@@ -9,17 +9,16 @@
 #include "DataStoreCallbacks.h"
 #include "DataStoreDB.h"
 #include "DataStoreRevision.h"
 #include "mozilla/dom/DataStore.h"
 #include "mozilla/dom/DataStoreBinding.h"
 #include "mozilla/dom/DataStoreImplBinding.h"
 #include "nsIDataStore.h"
 
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/StaticPtr.h"
 #include "mozilla/dom/ContentChild.h"
 #include "mozilla/dom/ContentParent.h"
 #include "mozilla/dom/DOMError.h"
 #include "mozilla/dom/indexedDB/IDBCursor.h"
 #include "mozilla/dom/indexedDB/IDBObjectStore.h"
@@ -52,19 +51,16 @@
 #include "nsXULAppAPI.h"
 
 #define ASSERT_PARENT_PROCESS()                                             \
   MOZ_ASSERT(XRE_IsParentProcess());                                        \
   if (NS_WARN_IF(!XRE_IsParentProcess())) {                                 \
     return NS_ERROR_FAILURE;                                                \
   }
 
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
-
 namespace mozilla {
 namespace dom {
 
 using namespace indexedDB;
 
 // This class contains all the information about a DataStore.
 class DataStoreInfo
 {
@@ -212,20 +208,27 @@ ResetPermission(uint32_t aAppId, const n
 
   nsCOMPtr<nsIURI> uri;
   rv = ioService->NewURI(NS_ConvertUTF16toUTF8(aOriginURL), nullptr, nullptr,
                          getter_AddRefs(uri));
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  OriginAttributes attrs(aAppId, false);
-  nsCOMPtr<nsIPrincipal> principal =
-    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+  if (!ssm) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIPrincipal> principal;
+  rv = ssm->GetAppCodebasePrincipal(uri, aAppId, false,
+                                    getter_AddRefs(principal));
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
 
   nsCOMPtr<nsIPermissionManager> pm =
     do_GetService(NS_PERMISSIONMANAGER_CONTRACTID);
   if (!pm) {
     return NS_ERROR_FAILURE;
   }
 
   nsCString basePermission;
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@@ -18514,16 +18514,22 @@ FactoryOp::CheckAtLeastOneAppHasPermissi
       return false;
     }
 
     nsCOMPtr<nsIIOService> ioService = do_GetIOService();
     if (NS_WARN_IF(!ioService)) {
       return false;
     }
 
+    nsCOMPtr<nsIScriptSecurityManager> secMan =
+      do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+    if (NS_WARN_IF(!secMan)) {
+      return false;
+    }
+
     nsCOMPtr<nsIPermissionManager> permMan =
       mozilla::services::GetPermissionManager();
     if (NS_WARN_IF(!permMan)) {
       return false;
     }
 
     const nsPromiseFlatCString permissionString =
       PromiseFlatCString(aPermissionString);
@@ -18537,19 +18543,34 @@ FactoryOp::CheckAtLeastOneAppHasPermissi
                  appId != nsIScriptSecurityManager::NO_APP_ID);
 
       nsCOMPtr<mozIApplication> app;
       nsresult rv = appsService->GetAppByLocalId(appId, getter_AddRefs(app));
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return false;
       }
 
+      nsString origin;
+      rv = app->GetOrigin(origin);
+      if (NS_WARN_IF(NS_FAILED(rv))) {
+        return false;
+      }
+
+      nsCOMPtr<nsIURI> uri;
+      rv = NS_NewURI(getter_AddRefs(uri), origin, nullptr, nullptr, ioService);
+      if (NS_WARN_IF(NS_FAILED(rv))) {
+        return false;
+      }
+
       nsCOMPtr<nsIPrincipal> principal;
-      app->GetPrincipal(getter_AddRefs(principal));
-      NS_ENSURE_TRUE(principal, false);
+      rv = secMan->GetAppCodebasePrincipal(uri, appId, false,
+                                           getter_AddRefs(principal));
+      if (NS_WARN_IF(NS_FAILED(rv))) {
+        return false;
+      }
 
       uint32_t permission;
       rv = permMan->TestExactPermissionFromPrincipal(principal,
                                                      permissionString.get(),
                                                      &permission);
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return false;
       }
--- a/dom/indexedDB/test/head.js
+++ b/dom/indexedDB/test/head.js
@@ -111,45 +111,45 @@ function dispatchEvent(eventName)
 
 function setPermission(url, permission)
 {
   const nsIPermissionManager = Components.interfaces.nsIPermissionManager;
 
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                      .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   Components.classes["@mozilla.org/permissionmanager;1"]
             .getService(nsIPermissionManager)
             .addFromPrincipal(principal, permission,
                               nsIPermissionManager.ALLOW_ACTION);
 }
 
 function removePermission(url, permission)
 {
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                      .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   Components.classes["@mozilla.org/permissionmanager;1"]
             .getService(Components.interfaces.nsIPermissionManager)
             .removeFromPrincipal(principal, permission);
 }
 
 function getPermission(url, permission)
 {
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI(url, null, null);
-  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                      .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   return Components.classes["@mozilla.org/permissionmanager;1"]
                    .getService(Components.interfaces.nsIPermissionManager)
                    .testPermissionFromPrincipal(principal, permission);
 }
--- a/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
+++ b/dom/indexedDB/test/unit/test_defaultStorageUpgrade.js
@@ -85,20 +85,23 @@ function testSteps()
 
   let ssm = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                          .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
 
   function openDatabase(params) {
     let request;
     if ("url" in params) {
       let uri = ios.newURI(params.url, null, null);
-      let principal =
-        ssm.createCodebasePrincipal(uri,
-                                    {appId: params.appId || ssm.NO_APPID,
-                                     inBrowser: params.inMozBrowser});
+      let principal;
+      if ("appId" in params) {
+        principal = ssm.getAppCodebasePrincipal(uri, params.appId,
+                                                params.inMozBrowser);
+      } else {
+        principal = ssm.getNoAppCodebasePrincipal(uri);
+      }
       if ("dbVersion" in params) {
         request = indexedDB.openForPrincipal(principal, params.dbName,
                                              params.dbVersion);
       } else {
         request = indexedDB.openForPrincipal(principal, params.dbName,
                                              params.dbOptions);
       }
     } else {
--- a/dom/indexedDB/test/unit/test_idle_maintenance.js
+++ b/dom/indexedDB/test/unit/test_idle_maintenance.js
@@ -5,19 +5,19 @@
 
 var testGenerator = testSteps();
 
 function testSteps()
 {
   let uri = Cc["@mozilla.org/network/io-service;1"].
             getService(Ci.nsIIOService).
             newURI("https://www.example.com", null, null);
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
+                  getService(Ci.nsIScriptSecurityManager).
+                  getNoAppCodebasePrincipal(uri);
 
   info("Setting permissions");
 
   let permMgr =
     Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
   permMgr.add(uri, "indexedDB", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   info("Setting idle preferences to prevent real 'idle-daily' notification");
--- a/dom/indexedDB/test/unit/test_metadataRestore.js
+++ b/dom/indexedDB/test/unit/test_metadataRestore.js
@@ -62,17 +62,17 @@ function testSteps()
 
   let ssm = SpecialPowers.Cc["@mozilla.org/scriptsecuritymanager;1"]
                          .getService(SpecialPowers.Ci.nsIScriptSecurityManager);
 
   function openDatabase(params) {
     let request;
     if ("url" in params) {
       let uri = ios.newURI(params.url, null, null);
-      let principal = ssm.createCodebasePrincipal(uri, {});
+      let principal = ssm.getNoAppCodebasePrincipal(uri);
       request = indexedDB.openForPrincipal(principal, params.dbName,
                                            params.dbOptions);
     } else {
       request = indexedDB.open(params.dbName, params.dbOptions);
     }
     return request;
   }
 
--- a/dom/indexedDB/test/unit/test_open_for_principal.js
+++ b/dom/indexedDB/test/unit/test_open_for_principal.js
@@ -43,19 +43,19 @@ function testSteps()
   request.onsuccess = grabEventAndContinueHandler;
   event = yield undefined;
 
   is(event.target.result, data.key, "Got correct key");
 
   let uri = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService)
                       .newURI("http://appdata.example.com", null, null);
-  let ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                      .getService(Components.interfaces.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                     .getService(Components.interfaces.nsIScriptSecurityManager)
+                     .getNoAppCodebasePrincipal(uri);
 
   request = indexedDB.openForPrincipal(principal, name, 1);
   request.onerror = errorHandler;
   request.onupgradeneeded = grabEventAndContinueHandler;
   request.onsuccess = grabEventAndContinueHandler;
   event = yield undefined;
 
   is(event.type, "upgradeneeded", "Got correct event type");
--- a/dom/indexedDB/test/unit/test_temporary_storage.js
+++ b/dom/indexedDB/test/unit/test_temporary_storage.js
@@ -29,19 +29,19 @@ function testSteps()
   function getSpec(index) {
     return "http://foo" + index + ".com";
   }
 
   function getPrincipal(url) {
     let uri = Cc["@mozilla.org/network/io-service;1"]
                 .getService(Ci.nsIIOService)
                 .newURI(url, null, null);
-    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-                .getService(Ci.nsIScriptSecurityManager);
-    return ssm.createCodebasePrincipal(uri, {});
+    return Cc["@mozilla.org/scriptsecuritymanager;1"]
+             .getService(Ci.nsIScriptSecurityManager)
+             .getNoAppCodebasePrincipal(uri);
   }
 
   for (let temporary of [true, false]) {
     info("Testing '" + (temporary ? "temporary" : "default") + "' storage");
 
     setLimit(tempStorageLimitKB);
 
     clearAllDatabases(continueToNextStepSync);
--- a/dom/ipc/AppProcessChecker.cpp
+++ b/dom/ipc/AppProcessChecker.cpp
@@ -7,16 +7,17 @@
 #include "AppProcessChecker.h"
 #include "nsIPermissionManager.h"
 #ifdef MOZ_CHILD_PERMISSIONS
 #include "ContentParent.h"
 #include "mozIApplication.h"
 #include "mozilla/hal_sandbox/PHalParent.h"
 #include "nsIAppsService.h"
 #include "nsIPrincipal.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsPrintfCString.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "nsServiceManagerUtils.h"
 #include "TabParent.h"
 
 #include <algorithm>
 
@@ -226,20 +227,31 @@ already_AddRefed<nsIPrincipal>
 GetAppPrincipal(uint32_t aAppId)
 {
   nsCOMPtr<nsIAppsService> appsService = do_GetService(APPS_SERVICE_CONTRACTID);
 
   nsCOMPtr<mozIApplication> app;
   nsresult rv = appsService->GetAppByLocalId(aAppId, getter_AddRefs(app));
   NS_ENSURE_SUCCESS(rv, nullptr);
 
-  nsCOMPtr<nsIPrincipal> principal;
-  app->GetPrincipal(getter_AddRefs(principal));
+  nsString origin;
+  rv = app->GetOrigin(origin);
+  NS_ENSURE_SUCCESS(rv, nullptr);
+
+  nsCOMPtr<nsIURI> uri;
+  NS_NewURI(getter_AddRefs(uri), origin);
 
-  return principal.forget();
+  nsCOMPtr<nsIScriptSecurityManager> secMan =
+    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+
+  nsCOMPtr<nsIPrincipal> appPrincipal;
+  rv = secMan->GetAppCodebasePrincipal(uri, aAppId, false,
+                                       getter_AddRefs(appPrincipal));
+  NS_ENSURE_SUCCESS(rv, nullptr);
+  return appPrincipal.forget();
 }
 
 uint32_t
 CheckPermission(PContentParent* aActor,
                 nsIPrincipal* aPrincipal,
                 const char* aPermission)
 {
   if (!AssertAppPrincipal(aActor, aPrincipal)) {
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@@ -1557,25 +1557,33 @@ void
 TabChild::MaybeRequestPreinitCamera()
 {
     // Check if this tab will use the `camera` permission.
     nsCOMPtr<nsIAppsService> appsService = do_GetService("@mozilla.org/AppsService;1");
     if (NS_WARN_IF(!appsService)) {
       return;
     }
 
-    nsCOMPtr<mozIApplication> app;
-    nsresult rv = appsService->GetAppByLocalId(OwnAppId(), getter_AddRefs(app));
+    nsString manifestUrl = EmptyString();
+    appsService->GetManifestURLByLocalId(OwnAppId(), manifestUrl);
+    nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+    if (NS_WARN_IF(!secMan)) {
+      return;
+    }
+
+    nsCOMPtr<nsIURI> uri;
+    nsresult rv = NS_NewURI(getter_AddRefs(uri), manifestUrl);
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return;
     }
 
     nsCOMPtr<nsIPrincipal> principal;
-    app->GetPrincipal(getter_AddRefs(principal));
-    if (NS_WARN_IF(!principal)) {
+    rv = secMan->GetAppCodebasePrincipal(uri, OwnAppId(), false,
+                                         getter_AddRefs(principal));
+    if (NS_WARN_IF(NS_FAILED(rv))) {
       return;
     }
 
     uint16_t status = nsIPrincipal::APP_STATUS_NOT_INSTALLED;
     principal->GetAppStatus(&status);
     bool isCertified = status == nsIPrincipal::APP_STATUS_CERTIFIED;
     if (!isCertified) {
       return;
--- a/dom/payment/Payment.jsm
+++ b/dom/payment/Payment.jsm
@@ -231,19 +231,18 @@ let PaymentManager =  {
         };
 
 #ifdef MOZ_B2G
         // Let this payment provider access the firefox-accounts API when
         // it's loaded in the trusted UI.
         if (systemAppId != Ci.nsIScriptSecurityManager.NO_APP_ID) {
           this.LOG("Granting firefox-accounts permission to " + provider.uri);
           let uri = Services.io.newURI(provider.uri, null, null);
-          let attrs = {appId: systemAppId, inBrowser: true};
-          let principal =
-            Services.scriptSecurityManager.createCodebasePrincipal(uri, attrs);
+          let principal = Services.scriptSecurityManager
+                            .getAppCodebasePrincipal(uri, systemAppId, true);
 
           Services.perms.addFromPrincipal(principal, "firefox-accounts",
                                           Ci.nsIPermissionManager.ALLOW_ACTION,
                                           Ci.nsIPermissionManager.EXPIRE_SESSION);
         }
 #endif
 
         if (this._debug) {
--- a/dom/permission/PermissionSettings.js
+++ b/dom/permission/PermissionSettings.js
@@ -30,24 +30,20 @@ function PermissionSettings()
 
 XPCOMUtils.defineLazyServiceGetter(this,
                                    "appsService",
                                    "@mozilla.org/AppsService;1",
                                    "nsIAppsService");
 
 PermissionSettings.prototype = {
   get: function get(aPermName, aManifestURL, aOrigin, aBrowserFlag) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
     debug("Get called with: " + aPermName + ", " + aManifestURL + ", " + aOrigin + ", " + aBrowserFlag);
     let uri = Services.io.newURI(aOrigin, null, null);
     let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(uri,
-                                                             {appId: appID,
-                                                              inBrowser: aBrowserFlag});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, aBrowserFlag);
     let result = Services.perms.testExactPermanentPermission(principal, aPermName);
 
     switch (result)
     {
       case Ci.nsIPermissionManager.UNKNOWN_ACTION:
         return "unknown";
       case Ci.nsIPermissionManager.ALLOW_ACTION:
         return "allow";
@@ -58,22 +54,21 @@ PermissionSettings.prototype = {
       default:
         dump("Unsupported PermissionSettings Action!\n");
         return "unknown";
     }
   },
 
   isExplicit: function isExplicit(aPermName, aManifestURL, aOrigin,
                                   aBrowserFlag) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
     debug("isExplicit: " + aPermName + ", " + aManifestURL + ", " + aOrigin);
     let uri = Services.io.newURI(aOrigin, null, null);
     let app = appsService.getAppByManifestURL(aManifestURL);
     let principal = Services.scriptSecurityManager
-      .createCodebasePrincipal(uri, {appId: app.localId, inBrowser: aBrowserFlag});
+      .getAppCodebasePrincipal(uri, app.localId, aBrowserFlag);
 
     return isExplicitInPermissionsTable(aPermName,
                                         principal.appStatus,
                                         app.kind);
   },
 
   set: function set(aPermName, aPermValue, aManifestURL, aOrigin,
                     aBrowserFlag) {
@@ -99,23 +94,19 @@ PermissionSettings.prototype = {
       origin: aOrigin,
       manifestURL: aManifestURL,
       value: aPermValue,
       browserFlag: aBrowserFlag
     });
   },
 
   remove: function remove(aPermName, aManifestURL, aOrigin) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.js
     let uri = Services.io.newURI(aOrigin, null, null);
     let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(uri,
-                                                             {appId: appID,
-                                                              inBrowser: true});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, true);
 
     if (principal.appStatus !== Ci.nsIPrincipal.APP_STATUS_NOT_INSTALLED) {
       let errorMsg = "PermissionSettings.js: '" + aOrigin + "'" +
                      " is installed or permission is implicit, cannot remove '" +
                      aPermName + "'.";
       Cu.reportError(errorMsg);
       throw new Components.Exception(errorMsg);
     }
--- a/dom/permission/PermissionSettings.jsm
+++ b/dom/permission/PermissionSettings.jsm
@@ -62,23 +62,19 @@ this.PermissionSettingsModule = {
   addPermission: function addPermission(aData, aCallbacks) {
 
     this._internalAddPermission(aData, true, aCallbacks);
 
   },
 
 
   _internalAddPermission: function _internalAddPermission(aData, aAllowAllChanges, aCallbacks) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.jsm
     let uri = Services.io.newURI(aData.origin, null, null);
     let app = appsService.getAppByManifestURL(aData.manifestURL);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(uri,
-                                                             {appId: app.localId,
-                                                              inBrowser: aData.browserFlag});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, app.localId, aData.browserFlag);
 
     let action;
     switch (aData.value)
     {
       case "unknown":
         action = Ci.nsIPermissionManager.UNKNOWN_ACTION;
         break;
       case "allow":
@@ -102,24 +98,20 @@ this.PermissionSettingsModule = {
       return true;
     } else {
       debug("add Failure: " + aData.origin + " " + app.localId + " " + action);
       return false; // This isn't currently used, see comment on setPermission
     }
   },
 
   getPermission: function getPermission(aPermName, aManifestURL, aOrigin, aBrowserFlag) {
-    // TODO: Bug 1196644 - Add signPKg parameter into PermissionSettings.jsm
     debug("getPermission: " + aPermName + ", " + aManifestURL + ", " + aOrigin);
     let uri = Services.io.newURI(aOrigin, null, null);
     let appID = appsService.getAppLocalIdByManifestURL(aManifestURL);
-    let principal =
-      Services.scriptSecurityManager.createCodebasePrincipal(uri,
-                                                             {appId: appID,
-                                                              inBrowser: aBrowserFlag});
+    let principal = Services.scriptSecurityManager.getAppCodebasePrincipal(uri, appID, aBrowserFlag);
     let result = Services.perms.testExactPermissionFromPrincipal(principal, aPermName);
 
     switch (result)
     {
       case Ci.nsIPermissionManager.UNKNOWN_ACTION:
         return "unknown";
       case Ci.nsIPermissionManager.ALLOW_ACTION:
         return "allow";
--- a/dom/quota/QuotaManager.cpp
+++ b/dom/quota/QuotaManager.cpp
@@ -5283,19 +5283,20 @@ StorageDirectoryHelper::RunOnMainThread(
           return rv;
         }
 
         nsCOMPtr<nsIPrincipal> principal;
         if (originProps.mAppId == kUnknownAppId) {
           rv = secMan->GetSimpleCodebasePrincipal(uri,
                                                   getter_AddRefs(principal));
         } else {
-          OriginAttributes attrs(originProps.mAppId, originProps.mInMozBrowser);
-          principal = BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-          rv = principal ? NS_OK : NS_ERROR_FAILURE;
+          rv = secMan->GetAppCodebasePrincipal(uri,
+                                               originProps.mAppId,
+                                               originProps.mInMozBrowser,
+                                               getter_AddRefs(principal));
         }
         if (NS_WARN_IF(NS_FAILED(rv))) {
           return rv;
         }
 
         if (mCreate) {
           rv = QuotaManager::GetInfoFromPrincipal(principal,
                                                   &originProps.mGroup,
--- a/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
+++ b/dom/tests/mochitest/chrome/test_MozDomFullscreen_event.xul
@@ -22,19 +22,19 @@ function make_uri(url) {
   var ios = Cc["@mozilla.org/network/io-service;1"].
             getService(Ci.nsIIOService);
   return ios.newURI(url, null, null);
 }
 
 // Ensure "fullscreen" permissions are not present on the test URI.
 var pm = Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
 var uri = make_uri("http://mochi.test:8888");
-var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                            .getService(Ci.nsIScriptSecurityManager);
-var principal = ssm.createCodebasePrincipal(uri, {});
+var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                  .getService(Ci.nsIScriptSecurityManager)
+                  .getNoAppCodebasePrincipal(uri);
 pm.removeFromPrincipal(principal, "fullscreen");
 
 SpecialPowers.pushPrefEnv({"set": [
   ['full-screen-api.enabled', true],
   ['full-screen-api.allow-trusted-requests-only', false],
   ['full-screen-api.transition-duration.enter', '0 0'],
   ['full-screen-api.transition-duration.leave', '0 0']
 ]}, setup);
--- a/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
+++ b/dom/tests/mochitest/localstorage/test_localStorageFromChrome.xhtml
@@ -13,21 +13,21 @@ function startTest()
   var ios = Components.classes["@mozilla.org/network/io-service;1"]
     .getService(Components.interfaces.nsIIOService);
   var ssm = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
     .getService(Components.interfaces.nsIScriptSecurityManager);
   var dsm = Components.classes["@mozilla.org/dom/localStorage-manager;1"]
     .getService(Components.interfaces.nsIDOMStorageManager);
 
   var uri = ios.newURI(url, "", null);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = ssm.getNoAppCodebasePrincipal(uri);
   var storage = dsm.createStorage(window, principal, "");
-
+  
   storage.setItem("chromekey", "chromevalue");
-
+  
   var aframe = document.getElementById("aframe");
   aframe.onload = function()
   {
     is(storage.getItem("chromekey"), "chromevalue");
     is(aframe.contentDocument.getElementById("data").innerHTML, "chromevalue");
     SimpleTest.finish();
   }
   aframe.src = "http://example.com/tests/dom/tests/mochitest/localstorage/frameChromeSlave.html";  
--- a/extensions/cookie/nsPermission.cpp
+++ b/extensions/cookie/nsPermission.cpp
@@ -2,16 +2,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsPermission.h"
 #include "nsContentUtils.h"
 #include "nsIClassInfoImpl.h"
 #include "nsIEffectiveTLDService.h"
+#include "nsIScriptSecurityManager.h"
 #include "mozilla/BasePrincipal.h"
 
 // nsPermission Implementation
 
 NS_IMPL_CLASSINFO(nsPermission, nullptr, 0, {0})
 NS_IMPL_ISUPPORTS_CI(nsPermission, nsIPermission)
 
 nsPermission::nsPermission(nsIPrincipal*    aPrincipal,
@@ -162,14 +163,17 @@ nsPermission::Matches(nsIPrincipal* aPri
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPermission::MatchesURI(nsIURI* aURI, bool aExactHost, bool* aMatches)
 {
   NS_ENSURE_ARG_POINTER(aURI);
 
-  mozilla::OriginAttributes attrs;
-  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
-  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
+
+  nsCOMPtr<nsIPrincipal> principal;
+  nsresult rv = secMan->GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
+  NS_ENSURE_SUCCESS(rv, rv);
 
   return Matches(principal, aExactHost, aMatches);
 }
--- a/extensions/cookie/nsPermissionManager.cpp
+++ b/extensions/cookie/nsPermissionManager.cpp
@@ -121,34 +121,29 @@ GetPrincipalFromOrigin(const nsACString&
   principal.forget(aPrincipal);
   return NS_OK;
 }
 
 
 nsresult
 GetPrincipal(nsIURI* aURI, uint32_t aAppId, bool aIsInBrowserElement, nsIPrincipal** aPrincipal)
 {
-  // TODO: Bug 1165267 - Use OriginAttributes for nsCookieService
-  mozilla::OriginAttributes attrs(aAppId, aIsInBrowserElement);
-  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
-  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
-
-  principal.forget(aPrincipal);
-  return NS_OK;
+  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
+
+  return secMan->GetAppCodebasePrincipal(aURI, aAppId, aIsInBrowserElement, aPrincipal);
 }
 
 nsresult
 GetPrincipal(nsIURI* aURI, nsIPrincipal** aPrincipal)
 {
-  mozilla::OriginAttributes attrs;
-  nsCOMPtr<nsIPrincipal> principal = mozilla::BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
-  NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
-
-  principal.forget(aPrincipal);
-  return NS_OK;
+  nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+  NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE);
+
+  return secMan->GetNoAppCodebasePrincipal(aURI, aPrincipal);
 }
 
 nsCString
 GetNextSubDomainForHost(const nsACString& aHost)
 {
   nsCOMPtr<nsIEffectiveTLDService> tldService =
     do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
   if (!tldService) {
--- a/extensions/cookie/test/test_app_uninstall_permissions.html
+++ b/extensions/cookie/test/test_app_uninstall_permissions.html
@@ -62,32 +62,29 @@ var gManifestURL = "http://www.example.c
 
 function onInstall() {
   var testAppId = appsService.getAppLocalIdByManifestURL(gManifestURL);
 
   is(getPermissionCountForApp(testAppId), 0, "App should have no permission");
 
   var currentPermissionCount = getPermissionCountForApp(-1);
 
-  var attrs = {appId: testAppId};
-  var principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
-                                                 attrs);
+  var principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
+                                                 testAppId, false);
 
   permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);
   permManager.addFromPrincipal(principal, "foo", Ci.nsIPermissionManager.DENY_ACTION);
   permManager.addFromPrincipal(principal, "bar", Ci.nsIPermissionManager.ALLOW_ACTION, Ci.nsIPermissionManager.EXPIRE_SESSION, 0);
 
-  attrs = {appId: testAppId, inBrowser: true};
-  principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
-                                             attrs);
+  principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.com", null, null),
+                                             testAppId, true);
   permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);
 
-  attrs = {appId: testAppId};
-  principal = secMan.createCodebasePrincipal(ioService.newURI("http://www.example.org", null, null),
-                                             attrs);
+  principal = secMan.getAppCodebasePrincipal(ioService.newURI("http://www.example.org", null, null),
+                                             testAppId, false);
   permManager.addFromPrincipal(principal, "foobar", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   is(getPermissionCountForApp(testAppId), 5, "App should have 5 permissions");
 
   // Not installed means not installed as native app.
   navigator.mozApps.mgmt.getNotInstalled().onsuccess = function() {
     for (i in this.result) {
       var app = this.result[i];
--- a/extensions/cookie/test/unit/test_permmanager_cleardata.js
+++ b/extensions/cookie/test/unit/test_permmanager_cleardata.js
@@ -1,18 +1,17 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 let pm;
 
 // Create a principal based on the { origin, appId, browserElement }.
 function createPrincipal(aOrigin, aAppId, aBrowserElement)
 {
-  var attrs = {appId: aAppId, inBrowser: aBrowserElement};
-  return Services.scriptSecurityManager.createCodebasePrincipal(NetUtil.newURI(aOrigin), attrs);
+  return Services.scriptSecurityManager.getAppCodebasePrincipal(NetUtil.newURI(aOrigin), aAppId, aBrowserElement);
 }
 
 // Return the subject required by 'webapps-clear-data' notification.
 function getSubject(aAppId, aBrowserOnly)
 {
   return {
     appId: aAppId,
     browserOnly: aBrowserOnly,
--- a/extensions/cookie/test/unit/test_permmanager_defaults.js
+++ b/extensions/cookie/test/unit/test_permmanager_defaults.js
@@ -46,24 +46,22 @@ add_task(function* do_test() {
   // Set the preference used by the permission manager so the file is read.
   Services.prefs.setCharPref("permissions.manager.defaultsUrl", "file://" + file.path);
 
   // initialize the permission manager service - it will read that default.
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
 
   // test the default permission was applied.
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, {});
-  let principalHttps = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_HTTPS, {});
-  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_2, {});
-  let principal3 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, {});
-
-  let attrs = {appId: 1000, inBrowser: true};
-  let principal4 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN, attrs);
-  let principal5 = Services.scriptSecurityManager.createCodebasePrincipal(TEST_ORIGIN_3, attrs);
+  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN);
+  let principalHttps = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_HTTPS);
+  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_2);
+  let principal3 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(TEST_ORIGIN_3);
+  let principal4 = Services.scriptSecurityManager.getAppCodebasePrincipal(TEST_ORIGIN, 1000, true);
+  let principal5 = Services.scriptSecurityManager.getAppCodebasePrincipal(TEST_ORIGIN_3, 1000, true);
 
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principal, TEST_PERMISSION));
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principalHttps, TEST_PERMISSION));
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
               pm.testPermissionFromPrincipal(principal3, TEST_PERMISSION));
   do_check_eq(Ci.nsIPermissionManager.ALLOW_ACTION,
@@ -219,17 +217,17 @@ function checkCapabilityViaDB(expected, 
   do_check();
   return deferred.promise;
 }
 
 // use the DB to find the requested permission.   Returns the permission
 // value (ie, the "capability" in nsIPermission parlance) or null if it can't
 // be found.
 function findCapabilityViaDB(origin = TEST_ORIGIN, type = TEST_PERMISSION) {
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(origin, {});
+  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(origin);
   let originStr = principal.origin;
 
   let file = Services.dirsvc.get("ProfD", Ci.nsIFile);
   file.append("permissions.sqlite");
 
   let storage = Cc["@mozilla.org/storage/service;1"]
                   .getService(Ci.mozIStorageService);
 
--- a/extensions/cookie/test/unit/test_permmanager_expiration.js
+++ b/extensions/cookie/test/unit/test_permmanager_expiration.js
@@ -16,17 +16,17 @@ function continue_test()
 }
 
 function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
   let permURI = NetUtil.newURI("http://example.com");
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(permURI, {});
+  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI);
 
   let now = Number(Date.now());
 
   // add a permission with *now* expiration
   pm.addFromPrincipal(principal, "test/expiration-perm-exp", 1, pm.EXPIRE_TIME, now);
   pm.addFromPrincipal(principal, "test/expiration-session-exp", 1, pm.EXPIRE_SESSION, now);
 
   // add a permission with future expiration (100 milliseconds)
--- a/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
+++ b/extensions/cookie/test/unit/test_permmanager_getPermissionObject.js
@@ -1,16 +1,15 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
-function getPrincipalFromURI(aURI) {
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI(aURI);
-  return ssm.createCodebasePrincipal(uri, {});
+function getPrincipalFromURI(uri) {
+  return Cc["@mozilla.org/scriptsecuritymanager;1"]
+           .getService(Ci.nsIScriptSecurityManager)
+           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
 }
 
 function getSystemPrincipal() {
   return Cc["@mozilla.org/scriptsecuritymanager;1"]
            .getService(Ci.nsIScriptSecurityManager)
            .getSystemPrincipal();
 }
 
--- a/extensions/cookie/test/unit/test_permmanager_idn.js
+++ b/extensions/cookie/test/unit/test_permmanager_idn.js
@@ -1,16 +1,15 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 function getPrincipalFromDomain(aDomain) {
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI("http://" + aDomain);
-  return ssm.createCodebasePrincipal(uri, {});
+  return Cc["@mozilla.org/scriptsecuritymanager;1"]
+           .getService(Ci.nsIScriptSecurityManager)
+           .getNoAppCodebasePrincipal(NetUtil.newURI("http://" + aDomain));
 }
 
 function run_test() {
   let profile = do_get_profile();
   let pm = Services.perms;
   let perm = 'test-idn';
 
   // We create three principal linked to IDN.
@@ -41,9 +40,9 @@ function run_test() {
   do_check_eq(pm.testPermissionFromPrincipal(punyTldPrincipal, perm), pm.ALLOW_ACTION);
 
   // However, those two principals shouldn't be allowed because they are like
   // the IDN but without the UT8-8 characters.
   let witnessPrincipal = getPrincipalFromDomain("foo.com");
   do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
   witnessPrincipal = getPrincipalFromDomain("foo.bar.com");
   do_check_eq(pm.testPermissionFromPrincipal(witnessPrincipal, perm), pm.UNKNOWN_ACTION);
-}
+}
\ No newline at end of file
--- a/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
+++ b/extensions/cookie/test/unit/test_permmanager_load_invalid_entries.js
@@ -129,14 +129,13 @@ function run_test() {
     let thisModTime = select.getInt64(0);
     do_check_true(thisModTime == 0, "new modifiedTime field is correct");
     numMigrated += 1;
   }
   // check we found at least 1 record that was migrated.
   do_check_true(numMigrated > 0, "we found at least 1 record that was migrated");
 
   // This permission should always be there.
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI("http://example.org");
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.org"));
   do_check_eq(pm.testPermissionFromPrincipal(principal, 'test-load-invalid-entries'), Ci.nsIPermissionManager.ALLOW_ACTION);
 }
--- a/extensions/cookie/test/unit/test_permmanager_local_files.js
+++ b/extensions/cookie/test/unit/test_permmanager_local_files.js
@@ -1,17 +1,16 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 // Test that permissions work for file:// URIs (aka local files).
 
 function getPrincipalFromURIString(uriStr)
 {
-  let uri = NetUtil.newURI(uriStr);
-  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(NetUtil.newURI(uriStr));
 }
 
 function run_test() {
   let pm = Services.perms;
 
   // If we add a permission to a file:// URI, the test should return true.
   let principal = getPrincipalFromURIString("file:///foo/bar");
   pm.addFromPrincipal(principal, "test/local-files", pm.ALLOW_ACTION, 0, 0);
--- a/extensions/cookie/test/unit/test_permmanager_matches.js
+++ b/extensions/cookie/test/unit/test_permmanager_matches.js
@@ -33,54 +33,50 @@ function run_test() {
   // Add some permissions
   let uri0 = NetUtil.newURI("http://google.com/search?q=foo#hashtag", null, null);
   let uri1 = NetUtil.newURI("http://hangouts.google.com/subdir", null, null);
   let uri2 = NetUtil.newURI("http://google.org/", null, null);
   let uri3 = NetUtil.newURI("https://google.com/some/random/subdirectory", null, null);
   let uri4 = NetUtil.newURI("https://hangouts.google.com/#!/hangout", null, null);
   let uri5 = NetUtil.newURI("http://google.com:8096/", null, null);
 
-  let uri0_n_n = secMan.createCodebasePrincipal(uri0, {});
-  let uri1_n_n = secMan.createCodebasePrincipal(uri1, {});
-  let uri2_n_n = secMan.createCodebasePrincipal(uri2, {});
-  let uri3_n_n = secMan.createCodebasePrincipal(uri3, {});
-  let uri4_n_n = secMan.createCodebasePrincipal(uri4, {});
-  let uri5_n_n = secMan.createCodebasePrincipal(uri5, {});
+  let uri0_n_n = secMan.getNoAppCodebasePrincipal(uri0);
+  let uri1_n_n = secMan.getNoAppCodebasePrincipal(uri1);
+  let uri2_n_n = secMan.getNoAppCodebasePrincipal(uri2);
+  let uri3_n_n = secMan.getNoAppCodebasePrincipal(uri3);
+  let uri4_n_n = secMan.getNoAppCodebasePrincipal(uri4);
+  let uri5_n_n = secMan.getNoAppCodebasePrincipal(uri5);
 
-  let attrs = {appId: 1000};
-  let uri0_1000_n = secMan.createCodebasePrincipal(uri0, attrs);
-  let uri1_1000_n = secMan.createCodebasePrincipal(uri1, attrs);
-  let uri2_1000_n = secMan.createCodebasePrincipal(uri2, attrs);
-  let uri3_1000_n = secMan.createCodebasePrincipal(uri3, attrs);
-  let uri4_1000_n = secMan.createCodebasePrincipal(uri4, attrs);
-  let uri5_1000_n = secMan.createCodebasePrincipal(uri5, attrs);
+  let uri0_1000_n = secMan.getAppCodebasePrincipal(uri0, 1000, false);
+  let uri1_1000_n = secMan.getAppCodebasePrincipal(uri1, 1000, false);
+  let uri2_1000_n = secMan.getAppCodebasePrincipal(uri2, 1000, false);
+  let uri3_1000_n = secMan.getAppCodebasePrincipal(uri3, 1000, false);
+  let uri4_1000_n = secMan.getAppCodebasePrincipal(uri4, 1000, false);
+  let uri5_1000_n = secMan.getAppCodebasePrincipal(uri5, 1000, false);
 
-  attrs = {appId: 1000, inBrowser: true};
-  let uri0_1000_y = secMan.createCodebasePrincipal(uri0, attrs);
-  let uri1_1000_y = secMan.createCodebasePrincipal(uri1, attrs);
-  let uri2_1000_y = secMan.createCodebasePrincipal(uri2, attrs);
-  let uri3_1000_y = secMan.createCodebasePrincipal(uri3, attrs);
-  let uri4_1000_y = secMan.createCodebasePrincipal(uri4, attrs);
-  let uri5_1000_y = secMan.createCodebasePrincipal(uri5, attrs);
+  let uri0_1000_y = secMan.getAppCodebasePrincipal(uri0, 1000, true);
+  let uri1_1000_y = secMan.getAppCodebasePrincipal(uri1, 1000, true);
+  let uri2_1000_y = secMan.getAppCodebasePrincipal(uri2, 1000, true);
+  let uri3_1000_y = secMan.getAppCodebasePrincipal(uri3, 1000, true);
+  let uri4_1000_y = secMan.getAppCodebasePrincipal(uri4, 1000, true);
+  let uri5_1000_y = secMan.getAppCodebasePrincipal(uri5, 1000, true);
 
-  attrs = {appId: 2000};
-  let uri0_2000_n = secMan.createCodebasePrincipal(uri0, attrs);
-  let uri1_2000_n = secMan.createCodebasePrincipal(uri1, attrs);
-  let uri2_2000_n = secMan.createCodebasePrincipal(uri2, attrs);
-  let uri3_2000_n = secMan.createCodebasePrincipal(uri3, attrs);
-  let uri4_2000_n = secMan.createCodebasePrincipal(uri4, attrs);
-  let uri5_2000_n = secMan.createCodebasePrincipal(uri5, attrs);
+  let uri0_2000_n = secMan.getAppCodebasePrincipal(uri0, 2000, false);
+  let uri1_2000_n = secMan.getAppCodebasePrincipal(uri1, 2000, false);
+  let uri2_2000_n = secMan.getAppCodebasePrincipal(uri2, 2000, false);
+  let uri3_2000_n = secMan.getAppCodebasePrincipal(uri3, 2000, false);
+  let uri4_2000_n = secMan.getAppCodebasePrincipal(uri4, 2000, false);
+  let uri5_2000_n = secMan.getAppCodebasePrincipal(uri5, 2000, false);
 
-  attrs = {appId: 2000, inBrowser: true};
-  let uri0_2000_y = secMan.createCodebasePrincipal(uri0, attrs);
-  let uri1_2000_y = secMan.createCodebasePrincipal(uri1, attrs);
-  let uri2_2000_y = secMan.createCodebasePrincipal(uri2, attrs);
-  let uri3_2000_y = secMan.createCodebasePrincipal(uri3, attrs);
-  let uri4_2000_y = secMan.createCodebasePrincipal(uri4, attrs);
-  let uri5_2000_y = secMan.createCodebasePrincipal(uri5, attrs);
+  let uri0_2000_y = secMan.getAppCodebasePrincipal(uri0, 2000, true);
+  let uri1_2000_y = secMan.getAppCodebasePrincipal(uri1, 2000, true);
+  let uri2_2000_y = secMan.getAppCodebasePrincipal(uri2, 2000, true);
+  let uri3_2000_y = secMan.getAppCodebasePrincipal(uri3, 2000, true);
+  let uri4_2000_y = secMan.getAppCodebasePrincipal(uri4, 2000, true);
+  let uri5_2000_y = secMan.getAppCodebasePrincipal(uri5, 2000, true);
 
   pm.addFromPrincipal(uri0_n_n, "test/matches", pm.ALLOW_ACTION);
   let perm_n_n = pm.getPermissionObject(uri0_n_n, "test/matches", true);
   pm.addFromPrincipal(uri0_1000_n, "test/matches", pm.ALLOW_ACTION);
   let perm_1000_n = pm.getPermissionObject(uri0_1000_n, "test/matches", true);
   pm.addFromPrincipal(uri0_1000_y, "test/matches", pm.ALLOW_ACTION);
   let perm_1000_y = pm.getPermissionObject(uri0_1000_y, "test/matches", true);
   pm.addFromPrincipal(uri0_2000_n, "test/matches", pm.ALLOW_ACTION);
--- a/extensions/cookie/test/unit/test_permmanager_matchesuri.js
+++ b/extensions/cookie/test/unit/test_permmanager_matchesuri.js
@@ -25,19 +25,19 @@ function matches_never(perm, uris) {
 function mk_permission(uri, isAppPermission = false) {
   let pm = Cc["@mozilla.org/permissionmanager;1"].
         getService(Ci.nsIPermissionManager);
 
   let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
         .getService(Ci.nsIScriptSecurityManager);
 
   // Get the permission from the principal!
-  let attrs = {appId: 1000};
-  let principal =
-    secMan.createCodebasePrincipal(uri, isAppPermission ? attrs : {});
+  let principal = isAppPermission ?
+        secMan.getAppCodebasePrincipal(uri, 1000, false) :
+        secMan.getNoAppCodebasePrincipal(uri);
 
   pm.addFromPrincipal(principal, "test/matchesuri", pm.ALLOW_ACTION);
   let permission = pm.getPermissionObject(principal, "test/matchesuri", true);
 
   return permission;
 }
 
 function run_test() {
--- a/extensions/cookie/test/unit/test_permmanager_notifications.js
+++ b/extensions/cookie/test/unit/test_permmanager_notifications.js
@@ -18,20 +18,19 @@ function continue_test()
 
 function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
   let now = Number(Date.now());
   let permType = "test/expiration-perm";
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI("http://example.com");
-  let principal = ssm.createCodebasePrincipal(uri, {});
+  let principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(NetUtil.newURI("http://example.com"));
 
   let observer = new permission_observer(test_generator, now, permType);
   Services.obs.addObserver(observer, "perm-changed", false);
 
   // Add a permission, to test the 'add' notification. Note that we use
   // do_execute_soon() so that we can use our generator to continue the test
   // where we left off.
   do_execute_soon(function() {
--- a/extensions/cookie/test/unit/test_permmanager_removesince.js
+++ b/extensions/cookie/test/unit/test_permmanager_removesince.js
@@ -19,20 +19,20 @@ function do_run_test() {
   // Set up a profile.
   let profile = do_get_profile();
 
   let pm = Services.perms;
 
   // to help with testing edge-cases, we will arrange for .removeAllSince to
   // remove *all* permissions from one principal and one permission from another.
   let permURI1 = NetUtil.newURI("http://example.com");
-  let principal1 = Services.scriptSecurityManager.createCodebasePrincipal(permURI1, {});
+  let principal1 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI1);
 
   let permURI2 = NetUtil.newURI("http://example.org");
-  let principal2 = Services.scriptSecurityManager.createCodebasePrincipal(permURI2, {});
+  let principal2 = Services.scriptSecurityManager.getNoAppCodebasePrincipal(permURI2);
 
   // add a permission now - this isn't going to be removed.
   pm.addFromPrincipal(principal1, "test/remove-since", 1);
 
   // sleep briefly, then record the time - we'll remove all since then.
   do_timeout(20, continue_test);
   yield;
 
--- a/extensions/cookie/test/unit/test_permmanager_subdomains.js
+++ b/extensions/cookie/test/unit/test_permmanager_subdomains.js
@@ -1,16 +1,15 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
-function getPrincipalFromURI(aURI) {
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let uri = NetUtil.newURI(aURI);
-  return ssm.createCodebasePrincipal(uri, {});
+function getPrincipalFromURI(uri) {
+  return Cc["@mozilla.org/scriptsecuritymanager;1"]
+           .getService(Ci.nsIScriptSecurityManager)
+           .getNoAppCodebasePrincipal(NetUtil.newURI(uri));
 }
 
 function run_test() {
   var pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
 
   // Adds a permission to a sub-domain. Checks if it is working.
   let sub1Principal = getPrincipalFromURI("http://sub1.example.com");
@@ -49,9 +48,9 @@ function run_test() {
   // A sanity check that the previous implementation wasn't passing...
   let crazyPrincipal = getPrincipalFromURI("http://com");
   pm.addFromPrincipal(crazyPrincipal, "test/subdomains", pm.ALLOW_ACTION, 0, 0);
   do_check_eq(pm.testPermissionFromPrincipal(crazyPrincipal, "test/subdomains"),  pm.ALLOW_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(mainPrincipal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(sub1Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(sub2Principal, "test/subdomains"),   pm.UNKNOWN_ACTION);
   do_check_eq(pm.testPermissionFromPrincipal(subsubPrincipal, "test/subdomains"), pm.UNKNOWN_ACTION);
-}
+}
\ No newline at end of file
--- a/extensions/cookie/test/unit_ipc/test_child.js
+++ b/extensions/cookie/test/unit_ipc/test_child.js
@@ -7,19 +7,19 @@ var gIoService = Components.classes["@mo
 
 function isParentProcess() {
     let appInfo = Cc["@mozilla.org/xre/app-info;1"];
     return (!appInfo || appInfo.getService(Ci.nsIXULRuntime).processType == Ci.nsIXULRuntime.PROCESS_TYPE_DEFAULT);
 }
 
 function getPrincipalForURI(aURI) {
   var uri =  gIoService.newURI(aURI, null, null);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  return ssm.createCodebasePrincipal(uri, {});
+  return Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                   .getService(Ci.nsIScriptSecurityManager)
+                   .getNoAppCodebasePrincipal(uri);
 }
 
 function run_test() {
   if (!isParentProcess()) {
     const Ci = Components.interfaces;
     const Cc = Components.classes;
 
     var mM = Cc["@mozilla.org/childprocessmessagemanager;1"].
--- a/extensions/cookie/test/unit_ipc/test_parent.js
+++ b/extensions/cookie/test/unit_ipc/test_parent.js
@@ -7,19 +7,19 @@ var gIoService = Components.classes["@mo
 
 function isParentProcess() {
     let appInfo = Cc["@mozilla.org/xre/app-info;1"];
     return (!appInfo || appInfo.getService(Ci.nsIXULRuntime).processType == Ci.nsIXULRuntime.PROCESS_TYPE_DEFAULT);
 }
 
 function getPrincipalForURI(aURI) {
   var uri = gIoService.newURI(aURI, null, null);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  return ssm.createCodebasePrincipal(uri, {});
+  return Cc["@mozilla.org/scriptsecuritymanager;1"]
+           .getService(Ci.nsIScriptSecurityManager)
+           .getNoAppCodebasePrincipal(uri);
 }
 
 function run_test() {
   if (isParentProcess()) {
     var pm = Cc["@mozilla.org/permissionmanager;1"].getService(Ci.nsIPermissionManager);
 
     // Permissions created before the child is present
     pm.addFromPrincipal(getPrincipalForURI("http://mozilla.org"), "cookie1", pm.ALLOW_ACTION, pm.EXPIRE_NEVER, 0);
--- a/gfx/thebes/gfxSVGGlyphs.cpp
+++ b/gfx/thebes/gfxSVGGlyphs.cpp
@@ -14,20 +14,20 @@
 #include "nsIStreamListener.h"
 #include "nsServiceManagerUtils.h"
 #include "nsIPresShell.h"
 #include "nsNetUtil.h"
 #include "nsIInputStream.h"
 #include "nsStringStream.h"
 #include "nsStreamUtils.h"
 #include "nsIPrincipal.h"
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/LoadInfo.h"
 #include "nsSVGUtils.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsHostObjectProtocolHandler.h"
 #include "nsContentUtils.h"
 #include "gfxFont.h"
 #include "nsSMILAnimationController.h"
 #include "gfxContext.h"
 #include "gfxColor.h"
 #include "harfbuzz/hb.h"
 
@@ -343,20 +343,19 @@ gfxSVGGlyphsDocument::ParseDocument(cons
     nsCOMPtr<nsIURI> uri;
     nsHostObjectProtocolHandler::GenerateURIString(NS_LITERAL_CSTRING(FONTTABLEURI_SCHEME),
                                                    nullptr,
                                                    mSVGGlyphsDocumentURI);
  
     rv = NS_NewURI(getter_AddRefs(uri), mSVGGlyphsDocumentURI);
     NS_ENSURE_SUCCESS(rv, rv);
 
-    OriginAttributes attrs;
-    nsCOMPtr<nsIPrincipal> principal =
-        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-    NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
+    nsCOMPtr<nsIPrincipal> principal;
+    nsContentUtils::GetSecurityManager()->
+        GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
 
     nsCOMPtr<nsIDOMDocument> domDoc;
     rv = NS_NewDOMDocument(getter_AddRefs(domDoc),
                            EmptyString(),   // aNamespaceURI
                            EmptyString(),   // aQualifiedName
                            nullptr,          // aDoctype
                            uri, uri, principal,
                            false,           // aLoadedAsData
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@@ -1,17 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "BackgroundUtils.h"
 
 #include "MainThreadUtils.h"
 #include "mozilla/Assertions.h"
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/ipc/PBackgroundSharedTypes.h"
 #include "mozilla/net/NeckoChannelParams.h"
 #include "nsPrincipal.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "mozilla/LoadInfo.h"
 #include "nsNullPrincipal.h"
@@ -19,18 +18,16 @@
 #include "nsString.h"
 #include "nsTArray.h"
 
 namespace mozilla {
 namespace net {
 class OptionalLoadInfoArgs;
 }
 
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using namespace mozilla::net;
 
 namespace ipc {
 
 already_AddRefed<nsIPrincipal>
 PrincipalInfoToPrincipal(const PrincipalInfo& aPrincipalInfo,
                          nsresult* aOptionalResult)
 {
@@ -75,20 +72,20 @@ PrincipalInfoToPrincipal(const Principal
       rv = NS_NewURI(getter_AddRefs(uri), info.spec());
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return nullptr;
       }
 
       if (info.appId() == nsIScriptSecurityManager::UNKNOWN_APP_ID) {
         rv = secMan->GetSimpleCodebasePrincipal(uri, getter_AddRefs(principal));
       } else {
-        // TODO: Bug 1167100 - User nsIPrincipal.originAttribute in ContentPrincipalInfo
-        OriginAttributes attrs(info.appId(), info.isInBrowserElement());
-        principal = BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-        rv = principal ? NS_OK : NS_ERROR_FAILURE;
+        rv = secMan->GetAppCodebasePrincipal(uri,
+                                             info.appId(),
+                                             info.isInBrowserElement(),
+                                             getter_AddRefs(principal));
       }
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return nullptr;
       }
 
       return principal.forget();
     }
 
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@@ -11,16 +11,17 @@
 #include "AccessCheck.h"
 #include "jsfriendapi.h"
 #include "js/Proxy.h"
 #include "js/StructuredClone.h"
 #include "nsContentUtils.h"
 #include "nsGlobalWindow.h"
 #include "nsIScriptContext.h"
 #include "nsIScriptObjectPrincipal.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsIURI.h"
 #include "nsJSUtils.h"
 #include "nsNetUtil.h"
 #include "nsNullPrincipal.h"
 #include "nsPrincipal.h"
 #include "nsXMLHttpRequest.h"
 #include "WrapperFactory.h"
 #include "xpcprivate.h"
@@ -1187,25 +1188,25 @@ ParsePrincipal(JSContext* cx, HandleStri
     nsAutoJSString codebaseStr;
     NS_ENSURE_TRUE(codebaseStr.init(cx, codebase), false);
     nsresult rv = NS_NewURI(getter_AddRefs(uri), codebaseStr);
     if (NS_FAILED(rv)) {
         JS_ReportError(cx, "Creating URI from string failed");
         return false;
     }
 
+    nsCOMPtr<nsIScriptSecurityManager> secman =
+        do_GetService(kScriptSecurityManagerContractID);
+    NS_ENSURE_TRUE(secman, false);
+
     // We could allow passing in the app-id and browser-element info to the
     // sandbox constructor. But creating a sandbox based on a string is a
     // deprecated API so no need to add features to it.
-    OriginAttributes attrs;
-    nsCOMPtr<nsIPrincipal> prin =
-        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-    prin.forget(principal);
-
-    if (!*principal) {
+    rv = secman->GetNoAppCodebasePrincipal(uri, principal);
+    if (NS_FAILED(rv) || !*principal) {
         JS_ReportError(cx, "Creating Principal from URI failed");
         return false;
     }
     return true;
 }
 
 /*
  * For sandbox constructor the first argument can be a principal object or
--- a/netwerk/cookie/CookieServiceParent.cpp
+++ b/netwerk/cookie/CookieServiceParent.cpp
@@ -2,51 +2,48 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/net/CookieServiceParent.h"
 #include "mozilla/dom/PContentParent.h"
 #include "mozilla/net/NeckoParent.h"
 
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "nsCookieService.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsIPrivateBrowsingChannel.h"
 #include "nsNetCID.h"
 #include "nsPrintfCString.h"
 #include "SerializedLoadContext.h"
 
 using namespace mozilla::ipc;
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using mozilla::dom::PContentParent;
 using mozilla::net::NeckoParent;
 
 namespace {
 
 // Ignore failures from this function, as they only affect whether we do or
 // don't show a dialog box in private browsing mode if the user sets a pref.
 void
 CreateDummyChannel(nsIURI* aHostURI, uint32_t aAppId, bool aInMozBrowser,
                    bool aIsPrivate, nsIChannel **aChannel)
 {
   MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
 
-  // TODO: Bug 1165267 - Use OriginAttributes for nsCookieService 
-  OriginAttributes attrs(aAppId, aInMozBrowser);
-  nsCOMPtr<nsIPrincipal> principal =
-    BasePrincipal::CreateCodebasePrincipal(aHostURI, attrs);
-  if (!principal) {
+  nsCOMPtr<nsIPrincipal> principal;
+  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+  nsresult rv = ssm->GetAppCodebasePrincipal(aHostURI, aAppId, aInMozBrowser,
+                                             getter_AddRefs(principal));
+  if (NS_FAILED(rv)) {
     return;
   }
 
   nsCOMPtr<nsIURI> dummyURI;
-  nsresult rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
+  rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
   if (NS_FAILED(rv)) {
       return;
   }
 
   nsCOMPtr<nsIChannel> dummyChannel;
   NS_NewChannel(getter_AddRefs(dummyChannel), dummyURI, principal,
                 nsILoadInfo::SEC_NORMAL, nsIContentPolicy::TYPE_INVALID);
   nsCOMPtr<nsIPrivateBrowsingChannel> pbChannel = do_QueryInterface(dummyChannel);
--- a/netwerk/protocol/http/HttpChannelParent.cpp
+++ b/netwerk/protocol/http/HttpChannelParent.cpp
@@ -12,36 +12,34 @@
 #include "mozilla/dom/TabParent.h"
 #include "mozilla/net/NeckoParent.h"
 #include "mozilla/unused.h"
 #include "HttpChannelParentListener.h"
 #include "nsHttpHandler.h"
 #include "nsNetUtil.h"
 #include "nsISupportsPriority.h"
 #include "nsIAuthPromptProvider.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsSerializationHelper.h"
 #include "nsISerializable.h"
 #include "nsIAssociatedContentSecurity.h"
 #include "nsIApplicationCacheService.h"
 #include "mozilla/ipc/InputStreamUtils.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "SerializedLoadContext.h"
 #include "nsIAuthInformation.h"
 #include "nsIAuthPromptCallback.h"
 #include "nsIContentPolicy.h"
 #include "mozilla/ipc/BackgroundUtils.h"
 #include "nsIOService.h"
 #include "nsICachingChannel.h"
 #include "mozilla/LoadInfo.h"
 #include "nsIHttpHeaderVisitor.h"
 #include "nsQueryObject.h"
-#include "mozilla/BasePrincipal.h"
 
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using namespace mozilla::dom;
 using namespace mozilla::ipc;
 
 namespace mozilla {
 namespace net {
 
 HttpChannelParent::HttpChannelParent(const PBrowserOrId& iframeEmbedding,
                                      nsILoadContext* aLoadContext,
@@ -453,25 +451,27 @@ HttpChannelParent::DoAsyncOpen(  const U
     }
 
     if (setChooseApplicationCache) {
       bool inBrowser = false;
       if (mLoadContext) {
         mLoadContext->GetIsInBrowserElement(&inBrowser);
       }
 
-      // TODO: Bug 1165466 - use originAttribute in nsILoadContext.
-      OriginAttributes attrs(appId, inBrowser);
-      nsCOMPtr<nsIPrincipal> principal =
-        BasePrincipal::CreateCodebasePrincipal(uri, attrs);
+      bool chooseAppCache = false;
+      nsCOMPtr<nsIScriptSecurityManager> secMan =
+        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+      if (secMan) {
+        nsCOMPtr<nsIPrincipal> principal;
+        secMan->GetAppCodebasePrincipal(uri, appId, inBrowser, getter_AddRefs(principal));
 
-      bool chooseAppCache = false;
-      // This works because we've already called SetNotificationCallbacks and
-      // done mPBOverride logic by this point.
-      chooseAppCache = NS_ShouldCheckAppCache(principal, NS_UsePrivateBrowsing(mChannel));
+        // This works because we've already called SetNotificationCallbacks and
+        // done mPBOverride logic by this point.
+        chooseAppCache = NS_ShouldCheckAppCache(principal, NS_UsePrivateBrowsing(mChannel));
+      }
 
       appCacheChan->SetChooseApplicationCache(chooseAppCache);
     }
   }
 
   nsID schedulingContextID;
   schedulingContextID.Parse(aSchedulingContextID.BeginReading());
   mChannel->SetSchedulingContextID(schedulingContextID);
--- a/netwerk/test/unit/test_auth_dialog_permission.js
+++ b/netwerk/test/unit/test_auth_dialog_permission.js
@@ -106,20 +106,21 @@ Requestor.prototype = {
 
 function make_uri(url) {
   var ios = Cc["@mozilla.org/network/io-service;1"].
               getService(Ci.nsIIOService);
   return ios.newURI(url, null, null);
 }
 
 function makeChan(loadingUrl, url, contentPolicy) {
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  var uri = make_uri(loadingUrl);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var loadingUri = make_uri(loadingUrl);
+  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(loadingUri);
+
   var ios = Components.classes["@mozilla.org/network/io-service;1"]
                       .getService(Components.interfaces.nsIIOService);
   var chan = ios.newChannel2(url,
                              null,
                              null,
                              null,
                              principal,
                              null,
--- a/netwerk/test/unit/test_auth_jar.js
+++ b/netwerk/test/unit/test_auth_jar.js
@@ -8,19 +8,19 @@ function createURI(s) {
 }
  
 function run_test() {
   // Set up a profile.
   do_get_profile();
 
   var secMan = Cc["@mozilla.org/scriptsecuritymanager;1"].getService(Ci.nsIScriptSecurityManager);
   const kURI1 = "http://example.com";
-  var app1 = secMan.createCodebasePrincipal(createURI(kURI1), {appId: 1});
-  var app10 = secMan.createCodebasePrincipal(createURI(kURI1),{appId: 10});
-  var app1browser = secMan.createCodebasePrincipal(createURI(kURI1), {appId: 1, inBrowser: true});
+  var app1 = secMan.getAppCodebasePrincipal(createURI(kURI1), 1, false);
+  var app10 = secMan.getAppCodebasePrincipal(createURI(kURI1), 10, false);
+  var app1browser = secMan.getAppCodebasePrincipal(createURI(kURI1), 1, true);
 
   var am = Cc["@mozilla.org/network/http-auth-manager;1"].
            getService(Ci.nsIHttpAuthManager);
   am.setAuthIdentity("http", "a.example.com", -1, "basic", "realm", "", "example.com", "user", "pass", false, app1);
   am.setAuthIdentity("http", "a.example.com", -1, "basic", "realm", "", "example.com", "user3", "pass3", false, app1browser);
   am.setAuthIdentity("http", "a.example.com", -1, "basic", "realm", "", "example.com", "user2", "pass2", false, app10);
 
   let subject = {
--- a/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_canceled.js
@@ -67,20 +67,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
+++ b/netwerk/test/unit/test_fallback_no-cache-entry_passing.js
@@ -67,20 +67,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_canceled.js
@@ -75,20 +75,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, redirectHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
+++ b/netwerk/test/unit/test_fallback_redirect-to-different-origin_passing.js
@@ -75,20 +75,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, redirectHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_request-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_request-error_canceled.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_request-error_passing.js
+++ b/netwerk/test/unit/test_fallback_request-error_passing.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer = new HttpServer();
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_response-error_canceled.js
+++ b/netwerk/test/unit/test_fallback_response-error_canceled.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, errorHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_fallback_response-error_passing.js
+++ b/netwerk/test/unit/test_fallback_response-error_passing.js
@@ -74,20 +74,20 @@ function run_test()
   httpServer.registerPathHandler("/masterEntry", masterEntryHandler);
   httpServer.registerPathHandler("/manifest", manifestHandler);
   httpServer.registerPathHandler("/content", contentHandler);
   httpServer.registerPathHandler(randomPath, errorHandler);
   httpServer.start(-1);
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:" + httpServer.identity.primaryPort);
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_offlinecache_custom-directory.js
+++ b/netwerk/test/unit/test_offlinecache_custom-directory.js
@@ -98,20 +98,20 @@ function run_test()
   httpServer.start(4444);
 
   var profileDir = do_get_profile();
   var customDir = profileDir.clone();
   customDir.append("customOfflineCacheDir" + Math.random());
 
   var pm = Cc["@mozilla.org/permissionmanager;1"]
     .getService(Ci.nsIPermissionManager);
-  var ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
   var uri = make_uri("http://localhost:4444");
-  var principal = ssm.createCodebasePrincipal(uri, {});
+  var principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(uri);
 
   if (pm.testPermissionFromPrincipal(principal, "offline-app") != 0) {
     dump("Previous test failed to clear offline-app permission!  Expect failures.\n");
   }
   pm.addFromPrincipal(principal, "offline-app", Ci.nsIPermissionManager.ALLOW_ACTION);
 
   var ps = Cc["@mozilla.org/preferences-service;1"]
     .getService(Ci.nsIPrefBranch);
--- a/netwerk/test/unit/test_permmgr.js
+++ b/netwerk/test/unit/test_permmgr.js
@@ -41,25 +41,25 @@ function run_test() {
 
   // nsIPermissionManager implementation is an extension; don't fail if it's not there
   if (!pm)
     return;
 
   // put a few hosts in
   for (var i = 0; i < hosts.length; ++i) {
     let uri = ioService.newURI(hosts[i][0], null, null);
-    let principal = secMan.createCodebasePrincipal(uri, {});
+    let principal = secMan.getNoAppCodebasePrincipal(uri);
 
     pm.addFromPrincipal(principal, hosts[i][1], hosts[i][2]);
   }
 
   // test the result
   for (var i = 0; i < results.length; ++i) {
     let uri = ioService.newURI(results[i][0], null, null);
-    let principal = secMan.createCodebasePrincipal(uri, {});
+    let principal = secMan.getNoAppCodebasePrincipal(uri);
 
     do_check_eq(pm.testPermissionFromPrincipal(principal, results[i][1]), results[i][2]);
     do_check_eq(pm.testExactPermissionFromPrincipal(principal, results[i][1]), results[i][3]);
   }
 
   // test the enumerator ...
   var j = 0;
   var perms = new Array();
--- a/services/fxaccounts/tests/xpcshell/test_manager.js
+++ b/services/fxaccounts/tests/xpcshell/test_manager.js
@@ -20,17 +20,17 @@ let deletedOnServer = false;
 // Global representing FxAccounts state
 let certExpired = false;
 
 // Mock RP
 function makePrincipal(origin, appId) {
   let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"]
                  .getService(Ci.nsIScriptSecurityManager);
   let uri = Services.io.newURI(origin, null, null);
-  return secMan.createCodebasePrincipal(uri, {appId: appId});
+  return secMan.getAppCodebasePrincipal(uri, appId, false);
 }
 let principal = makePrincipal('app://settings.gaiamobile.org', 27, false);
 
 // For override FxAccountsUIGlue.
 let fakeFxAccountsUIGlueCID;
 
 // FxAccountsUIGlue fake component.
 let FxAccountsUIGlue = {
--- a/services/mobileid/MobileIdentityManager.jsm
+++ b/services/mobileid/MobileIdentityManager.jsm
@@ -892,17 +892,19 @@ this.MobileIdentityManager = {
     );
 
     return deferred.promise;
   },
 
   getMobileIdAssertion: function(aPrincipal, aPromiseId, aOptions) {
     log.debug("getMobileIdAssertion ${}", aPrincipal);
 
-    let principal = aPrincipal;
+    let uri = Services.io.newURI(aPrincipal.origin, null, null);
+    let principal = securityManager.getAppCodebasePrincipal(
+      uri, aPrincipal.appId, aPrincipal.isInBrowserElement);
     let manifestURL = appsService.getManifestURLByLocalId(aPrincipal.appId);
 
     let permission = permissionManager.testPermissionFromPrincipal(
       principal,
       MOBILEID_PERM
     );
 
     if (permission == Ci.nsIPermissionManager.DENY_ACTION ||
--- a/services/mobileid/tests/xpcshell/head.js
+++ b/services/mobileid/tests/xpcshell/head.js
@@ -120,33 +120,31 @@ const INVALID_RADIO_INTERFACE = {
 const CERTIFICATE = "eyJhbGciOiJEUzI1NiJ9.eyJsYXN0QXV0aEF0IjoxNDA0NDY5NzkyODc3LCJ2ZXJpZmllZE1TSVNETiI6IiszMTYxNzgxNTc1OCIsInB1YmxpYy1rZXkiOnsiYWxnb3JpdGhtIjoiRFMiLCJ5IjoiNGE5YzkzNDY3MWZhNzQ3YmM2ZjMyNjE0YTg1MzUyZjY5NDcwMDdhNTRkMDAxMDY4OWU5ZjJjZjc0ZGUwYTEwZTRlYjlmNDk1ZGFmZTA0NGVjZmVlNDlkN2YwOGU4ODQyMDJiOTE5OGRhNWZhZWE5MGUzZjRmNzE1YzZjNGY4Yjc3MGYxZTU4YWZhNDM0NzVhYmFiN2VlZGE1MmUyNjk2YzFmNTljNzMzYjFlYzBhNGNkOTM1YWIxYzkyNzAxYjNiYTA5ZDRhM2E2MzNjNTJmZjE2NGYxMWY3OTg1YzlmZjY3ZThmZDFlYzA2NDU3MTdkMjBiNDE4YmM5M2YzYzVkNCIsInAiOiJmZjYwMDQ4M2RiNmFiZmM1YjQ1ZWFiNzg1OTRiMzUzM2Q1NTBkOWYxYmYyYTk5MmE3YThkYWE2ZGMzNGY4MDQ1YWQ0ZTZlMGM0MjlkMzM0ZWVlYWFlZmQ3ZTIzZDQ4MTBiZTAwZTRjYzE0OTJjYmEzMjViYTgxZmYyZDVhNWIzMDVhOGQxN2ViM2JmNGEwNmEzNDlkMzkyZTAwZDMyOTc0NGE1MTc5MzgwMzQ0ZTgyYTE4YzQ3OTMzNDM4Zjg5MWUyMmFlZWY4MTJkNjljOGY3NWUzMjZjYjcwZWEwMDBjM2Y3NzZkZmRiZDYwNDYzOGMyZWY3MTdmYzI2ZDAyZTE3IiwicSI6ImUyMWUwNGY5MTFkMWVkNzk5MTAwOGVjYWFiM2JmNzc1OTg0MzA5YzMiLCJnIjoiYzUyYTRhMGZmM2I3ZTYxZmRmMTg2N2NlODQxMzgzNjlhNjE1NGY0YWZhOTI5NjZlM2M4MjdlMjVjZmE2Y2Y1MDhiOTBlNWRlNDE5ZTEzMzdlMDdhMmU5ZTJhM2NkNWRlYTcwNGQxNzVmOGViZjZhZjM5N2Q2OWUxMTBiOTZhZmIxN2M3YTAzMjU5MzI5ZTQ4MjliMGQwM2JiYzc4OTZiMTViNGFkZTUzZTEzMDg1OGNjMzRkOTYyNjlhYTg5MDQxZjQwOTEzNmM3MjQyYTM4ODk1YzlkNWJjY2FkNGYzODlhZjFkN2E0YmQxMzk4YmQwNzJkZmZhODk2MjMzMzk3YSJ9LCJwcmluY2lwYWwiOiIwMzgxOTgyYS0xZTgzLTI1NjYtNjgzZS05MDRmNDA0NGM1MGRAbXNpc2RuLWRldi5zdGFnZS5tb3phd3MubmV0IiwiaWF0IjoxNDA0NDY5NzgyODc3LCJleHAiOjE0MDQ0OTEzOTI4NzcsImlzcyI6Im1zaXNkbi1kZXYuc3RhZ2UubW96YXdzLm5ldCJ9."
 
 // === Helpers ===
 
 function addPermission(aAction) {
   let uri = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService)
               .newURI(ORIGIN, null, null);
-  let attrs = {appId: APP_ID};
   let _principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
                      .getService(Ci.nsIScriptSecurityManager)
-                     .createCodebasePrincipal(uri, attrs);
+                     .getAppCodebasePrincipal(uri, APP_ID, false);
   let pm = Cc["@mozilla.org/permissionmanager;1"]
              .getService(Ci.nsIPermissionManager);
   pm.addFromPrincipal(_principal, MOBILEID_PERM, aAction);
 }
 
 function removePermission() {
   let uri = Cc["@mozilla.org/network/io-service;1"]
               .getService(Ci.nsIIOService)
               .newURI(ORIGIN, null, null);
-  let attrs = {appId: APP_ID};
   let _principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
                      .getService(Ci.nsIScriptSecurityManager)
-                     .createCodebasePrincipal(uri, attrs);
+                     .getAppCodebasePrincipal(uri, APP_ID, false);
   let pm = Cc["@mozilla.org/permissionmanager;1"]
              .getService(Ci.nsIPermissionManager);
   pm.removeFromPrincipal(_principal, MOBILEID_PERM);
 }
 
 // === Mocks ===
 
 let Mock = function(aOptions) {
--- a/services/sync/Weave.js
+++ b/services/sync/Weave.js
@@ -183,17 +183,16 @@ AboutWeaveLog.prototype = {
     let channel = Services.io.newChannelFromURIWithLoadInfo(uri, aLoadInfo);
 
     channel.originalURI = aURI;
 
     // Ensure that the about page has the same privileges as a regular directory
     // view. That way links to files can be opened.
     let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
                 .getService(Ci.nsIScriptSecurityManager);
-    let principal = ssm.createCodebasePrincipal(uri, {});
-
+    let principal = ssm.getNoAppCodebasePrincipal(uri);
     channel.owner = principal;
     return channel;
   }
 };
 
 const components = [WeaveService, AboutWeaveLog];
 this.NSGetFactory = XPCOMUtils.generateNSGetFactory(components);
--- a/testing/marionette/driver/marionette_driver/marionette.py
+++ b/testing/marionette/driver/marionette_driver/marionette.py
@@ -804,20 +804,19 @@ class Marionette(object):
                 return value;
                 """, script_args=[perm], sandbox='system')
 
         with self.using_context('chrome'):
             permission = self.execute_script("""
                 Components.utils.import("resource://gre/modules/Services.jsm");
                 let perm = arguments[0];
                 let secMan = Services.scriptSecurityManager;
-                let attrs = {appId: perm.appId, inBrowser: perm.isInBrowserElement};
-                let principal = secMan.createCodebasePrincipal(
+                let principal = secMan.getAppCodebasePrincipal(
                                 Services.io.newURI(perm.url, null, null),
-                                attrs);
+                                perm.appId, perm.isInBrowserElement);
                 let testPerm = Services.perms.testPermissionFromPrincipal(
                                principal, perm.type);
                 return testPerm;
                 """, script_args=[value])
         return permission
 
     def push_permission(self, perm, allow):
         with self.using_context('content'):
@@ -866,19 +865,18 @@ class Marionette(object):
                     """, sandbox='system')
             return
 
         with self.using_context('chrome'):
             self.execute_script("""
                 Components.utils.import("resource://gre/modules/Services.jsm");
                 let perm = arguments[0];
                 let secMan = Services.scriptSecurityManager;
-                let attrs = {appId: perm.appId, inBrowser: perm.isInBrowserElement};
-                let principal = secMan.createCodebasePrincipal(Services.io.newURI(perm.url, null, null),
-                                                               attrs);
+                let principal = secMan.getAppCodebasePrincipal(Services.io.newURI(perm.url, null, null),
+                                perm.appId, perm.isInBrowserElement);
                 Services.perms.addFromPrincipal(principal, perm.type, perm.action);
                 return true;
                 """, script_args=[perm])
 
         with self.using_context('content'):
             self.execute_async_script("""
                 waitFor(marionetteScriptFinished, function() {
                   return window.wrappedJSObject.permChanged;
--- a/testing/mochitest/tests/Harness_sanity/test_bug816847.html
+++ b/testing/mochitest/tests/Harness_sanity/test_bug816847.html
@@ -29,24 +29,29 @@ const appsSvc = Cc["@mozilla.org/AppsSer
                   .getService(Ci.nsIAppsService)
 
 const manifest = "https://example.com/manifest.webapp";
 const allow = Ci.nsIPermissionManager.ALLOW_ACTION;
 const unknown = Ci.nsIPermissionManager.UNKNOWN_ACTION;
 const perms = ['network-events', 'geolocation', 'camera', 'alarms']
 
 function createPrincipal(aURI, aIsApp, aIsInBrowserElement) {
-  if (aIsApp) {
+  if(aIsApp) {
     var app = appsSvc.getAppByManifestURL(aURI);
-    return app.principal;
+    var localId = appsSvc.getAppLocalIdByManifestURL(aURI);
+    var uri = Services.io.newURI(app.origin, null, null);
+    return Services.scriptSecurityManager
+                   .getAppCodebasePrincipal(uri,
+                                            localId,
+                                            aIsInBrowserElement);
   }
 
   var uri = Services.io.newURI(aURI, null, null);
   return Services.scriptSecurityManager
-                 .createCodebasePrincipal(uri, {});
+                 .getNoAppCodebasePrincipal(uri);
 }
 
 // test addPermission and removePermission
 function starttest(){
   var app = appsSvc.getAppByManifestURL(manifest);
   ok(app != null, "Got an app "); 
 
   var origin = app.origin 
--- a/testing/specialpowers/content/SpecialPowersObserverAPI.js
+++ b/testing/specialpowers/content/SpecialPowersObserverAPI.js
@@ -309,19 +309,17 @@ SpecialPowersObserverAPI.prototype = {
         }
         return undefined;	// See comment at the beginning of this function.
       }
 
       case "SPPermissionManager": {
         let msg = aMessage.json;
 
         let secMan = Services.scriptSecurityManager;
-        // TODO: Bug 1196665 - Add originAttributes into SpecialPowers
-        let attrs = {appId: msg.appId, inBrowser: msg.isInBrowserElement};
-        let principal = secMan.createCodebasePrincipal(this._getURI(msg.url), attrs);
+        let principal = secMan.getAppCodebasePrincipal(this._getURI(msg.url), msg.appId, msg.isInBrowserElement);
 
         switch (msg.op) {
           case "add":
             Services.perms.addFromPrincipal(principal, msg.type, msg.permission, msg.expireType, msg.expireTime);
             break;
           case "remove":
             Services.perms.removeFromPrincipal(principal, msg.type);
             break;
--- a/toolkit/components/downloads/ApplicationReputation.cpp
+++ b/toolkit/components/downloads/ApplicationReputation.cpp
@@ -10,29 +10,29 @@
 #include "csd.pb.h"
 
 #include "nsIArray.h"
 #include "nsIApplicationReputation.h"
 #include "nsIChannel.h"
 #include "nsIHttpChannel.h"
 #include "nsIIOService.h"
 #include "nsIPrefService.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsISimpleEnumerator.h"
 #include "nsIStreamListener.h"
 #include "nsIStringStream.h"
 #include "nsITimer.h"
 #include "nsIUploadChannel2.h"
 #include "nsIURI.h"
 #include "nsIURL.h"
 #include "nsIUrlClassifierDBService.h"
 #include "nsIX509Cert.h"
 #include "nsIX509CertDB.h"
 #include "nsIX509CertList.h"
 
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/LoadContext.h"
 
 #include "nsAutoPtr.h"
 #include "nsCOMPtr.h"
@@ -45,18 +45,16 @@
 #include "nsTArray.h"
 #include "nsThreadUtils.h"
 #include "nsXPCOMStrings.h"
 
 #include "nsIContentPolicy.h"
 #include "nsILoadInfo.h"
 #include "nsContentUtils.h"
 
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using mozilla::Preferences;
 using mozilla::TimeStamp;
 using mozilla::Telemetry::Accumulate;
 using safe_browsing::ClientDownloadRequest;
 using safe_browsing::ClientDownloadRequest_CertificateChain;
 using safe_browsing::ClientDownloadRequest_Resource;
 using safe_browsing::ClientDownloadRequest_SignatureInfo;
 
@@ -290,22 +288,23 @@ PendingDBLookup::LookupSpecInternal(cons
 {
   nsresult rv;
 
   nsCOMPtr<nsIURI> uri;
   nsCOMPtr<nsIIOService> ios = do_GetService(NS_IOSERVICE_CONTRACTID, &rv);
   rv = ios->NewURI(aSpec, nullptr, nullptr, getter_AddRefs(uri));
   NS_ENSURE_SUCCESS(rv, rv);
 
-  OriginAttributes attrs;
-  nsCOMPtr<nsIPrincipal> principal =
-    BasePrincipal::CreateCodebasePrincipal(uri, attrs);
-  if (!principal) {
-    return NS_ERROR_FAILURE;
-  }
+  nsCOMPtr<nsIPrincipal> principal;
+  nsCOMPtr<nsIScriptSecurityManager> secMan =
+    do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = secMan->GetNoAppCodebasePrincipal(uri, getter_AddRefs(principal));
+  NS_ENSURE_SUCCESS(rv, rv);
 
   // Check local lists to see if the URI has already been whitelisted or
   // blacklisted.
   LOG(("Checking DB service for principal %s [this = %p]", mSpec.get(), this));
   nsCOMPtr<nsIUrlClassifierDBService> dbService =
     do_GetService(NS_URLCLASSIFIERDBSERVICE_CONTRACTID, &rv);
   NS_ENSURE_SUCCESS(rv, rv);
 
--- a/toolkit/components/downloads/test/unit/test_app_rep.js
+++ b/toolkit/components/downloads/test/unit/test_app_rep.js
@@ -312,21 +312,21 @@ add_test(function test_redirect_on_block
                              "http://localhost:4444/download");
   let counts = get_telemetry_counts();
   let listCounts = counts.listCounts;
   listCounts[BLOCK_LIST]++;
   listCounts[ALLOW_LIST]++;
   let secman = Services.scriptSecurityManager;
   let badRedirects = Cc["@mozilla.org/array;1"]
                        .createInstance(Ci.nsIMutableArray);
-  badRedirects.appendElement(secman.createCodebasePrincipal(exampleURI, {}),
+  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(exampleURI),
                              false);
-  badRedirects.appendElement(secman.createCodebasePrincipal(blocklistedURI, {}),
+  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(blocklistedURI),
                              false);
-  badRedirects.appendElement(secman.createCodebasePrincipal(whitelistedURI, {}),
+  badRedirects.appendElement(secman.getNoAppCodebasePrincipal(whitelistedURI),
                              false);
   gAppRep.queryReputation({
     sourceURI: whitelistedURI,
     referrerURI: exampleURI,
     redirects: badRedirects,
     fileSize: 12,
   }, function onComplete(aShouldBlock, aStatus) {
     do_check_eq(Cr.NS_OK, aStatus);
--- a/toolkit/components/places/BookmarkJSONUtils.jsm
+++ b/toolkit/components/places/BookmarkJSONUtils.jsm
@@ -204,17 +204,17 @@ BookmarkImporter.prototype = {
             reject(ex);
           }
         }
       };
 
       let uri = NetUtil.newURI(spec);
       let channel = NetUtil.newChannel({
         uri,
-        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(uri, {}),
+        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri),
         contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
       });
       let streamLoader = Cc["@mozilla.org/network/stream-loader;1"]
                            .createInstance(Ci.nsIStreamLoader);
       streamLoader.init(streamObserver);
       channel.asyncOpen(streamLoader, channel);
     });
   },
--- a/toolkit/components/places/nsLivemarkService.js
+++ b/toolkit/components/places/nsLivemarkService.js
@@ -523,17 +523,17 @@ Livemark.prototype = {
     try {
       // Create a load group for the request.  This will allow us to
       // automatically keep track of redirects, so we can always
       // cancel the channel.
       let loadgroup = Cc["@mozilla.org/network/load-group;1"].
                       createInstance(Ci.nsILoadGroup);
       let channel = NetUtil.newChannel({
         uri: this.feedURI.spec,
-        loadingPrincipal: Services.scriptSecurityManager.createCodebasePrincipal(this.feedURI, {}),
+        loadingPrincipal: Services.scriptSecurityManager.getNoAppCodebasePrincipal(this.feedURI),
         contentPolicyType: Ci.nsIContentPolicy.TYPE_INTERNAL_XMLHTTPREQUEST
       }).QueryInterface(Ci.nsIHttpChannel);
       channel.loadGroup = loadgroup;
       channel.loadFlags |= Ci.nsIRequest.LOAD_BACKGROUND |
                            Ci.nsIRequest.LOAD_BYPASS_CACHE;
       channel.requestMethod = "GET";
       channel.setRequestHeader("X-Moz", "livebookmarks", false);
 
--- a/toolkit/components/social/SocialService.jsm
+++ b/toolkit/components/social/SocialService.jsm
@@ -148,17 +148,17 @@ XPCOMUtils.defineLazyGetter(SocialServic
     }
   }
   return providers;
 });
 
 function getOriginActivationType(origin) {
   // if this is an about uri, treat it as a directory
   let URI = Services.io.newURI(origin, null, null);
-  let principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
+  let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
   if (Services.scriptSecurityManager.isSystemPrincipal(principal) || origin == "moz-safe-about:home") {
     return "internal";
   }
 
   let directories = Services.prefs.getCharPref("social.directories").split(',');
   if (directories.indexOf(origin) >= 0)
     return "directory";
 
@@ -508,17 +508,17 @@ this.SocialService = {
       if (!data['origin']) {
         Cu.reportError("SocialService.manifestFromData directory service provided manifest without origin.");
         return null;
       }
       installOrigin = data.origin;
     }
     // force/fixup origin
     let URI = Services.io.newURI(installOrigin, null, null);
-    principal = Services.scriptSecurityManager.createCodebasePrincipal(URI, {});
+    principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(URI);
     data.origin = principal.origin;
 
     // iconURL and name are required
     let providerHasFeatures = [url for (url of featureURLs) if (data[url])].length > 0;
     if (!providerHasFeatures) {
       Cu.reportError("SocialService.manifestFromData manifest missing required urls.");
       return null;
     }
@@ -709,17 +709,17 @@ function SocialProvider(input) {
   this.shareURL = input.shareURL;
   this.statusURL = input.statusURL;
   this.markURL = input.markURL;
   this.markedIcon = input.markedIcon;
   this.unmarkedIcon = input.unmarkedIcon;
   this.postActivationURL = input.postActivationURL;
   this.origin = input.origin;
   let originUri = Services.io.newURI(input.origin, null, null);
-  this.principal = Services.scriptSecurityManager.createCodebasePrincipal(originUri, {});
+  this.principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(originUri);
   this.ambientNotificationIcons = {};
   this.errorState = null;
   this.frecency = 0;
 
   // this provider has localStorage access in the worker if listed in the
   // whitelist
   let whitelist = Services.prefs.getCharPref("social.whitelist").split(',');
   this.blessed = whitelist.indexOf(this.origin) >= 0;
--- a/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
+++ b/toolkit/components/url-classifier/tests/unit/head_urlclassifier.js
@@ -216,17 +216,17 @@ tableData : function(expectedTables, cb)
 
 checkUrls: function(urls, expected, cb)
 {
   // work with a copy of the list.
   urls = urls.slice(0);
   var doLookup = function() {
     if (urls.length > 0) {
       var fragment = urls.shift();
-      var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null), {});
+      var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + fragment, null, null));
       dbservice.lookup(principal, allTables,
                                 function(arg) {
                                   do_check_eq(expected, arg);
                                   doLookup();
                                 }, true);
     } else {
       cb();
     }
--- a/toolkit/components/url-classifier/tests/unit/test_dbservice.js
+++ b/toolkit/components/url-classifier/tests/unit/test_dbservice.js
@@ -92,17 +92,17 @@ function testFailure(arg) {
   do_throw(arg);
 }
 
 function checkNoHost()
 {
   // Looking up a no-host uri such as a data: uri should throw an exception.
   var exception;
   try {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("data:text/html,<b>test</b>", null, null));
     dbservice.lookup(principal, allTables);
 
     exception = false;
   } catch(e) {
     exception = true;
   }
   do_check_true(exception);
 
@@ -193,37 +193,36 @@ function unwantedExists(result) {
     checkDone();
   }
 }
 
 function checkState()
 {
   numExpecting = 0;
 
-
   for (var key in phishExpected) {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
     dbservice.lookup(principal, allTables, phishExists, true);
     numExpecting++;
   }
 
   for (var key in phishUnexpected) {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
     dbservice.lookup(principal, allTables, phishDoesntExist, true);
     numExpecting++;
   }
 
   for (var key in malwareExpected) {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
     dbservice.lookup(principal, allTables, malwareExists, true);
     numExpecting++;
   }
 
   for (var key in unwantedExpected) {
-    var principal = secMan.createCodebasePrincipal(iosvc.newURI("http://" + key, null, null), {});
+    var principal = secMan.getNoAppCodebasePrincipal(iosvc.newURI("http://" + key, null, null));
     dbservice.lookup(principal, allTables, unwantedExists, true);
     numExpecting++;
   }
 }
 
 function testSubSuccess(result)
 {
   do_check_eq(result, "1000");
--- a/toolkit/components/url-classifier/tests/unit/test_digest256.js
+++ b/toolkit/components/url-classifier/tests/unit/test_digest256.js
@@ -119,28 +119,28 @@ add_test(function test_update() {
     "goog-downloadwhite-digest256",
     "goog-downloadwhite-digest256;\n",
     "http://localhost:4444/downloads",
     updateSuccess, handleError, handleError);
 });
 
 add_test(function test_url_not_whitelisted() {
   let uri = createURI("http://example.com");
-  let principal = gSecMan.createCodebasePrincipal(uri, {});
+  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
   gDbService.lookup(principal, "goog-downloadwhite-digest256",
     function handleEvent(aEvent) {
       // This URI is not on any lists.
       do_check_eq("", aEvent);
       run_next_test();
     });
 });
 
 add_test(function test_url_whitelisted() {
   // Hash of "whitelisted.com/" (canonicalized URL) is:
   // 93CA5F48E15E9861CD37C2D95DB43D23CC6E6DE5C3F8FA6E8BE66F97CC518907
   let uri = createURI("http://whitelisted.com");
-  let principal = gSecMan.createCodebasePrincipal(uri, {});
+  let principal = gSecMan.getNoAppCodebasePrincipal(uri);
   gDbService.lookup(principal, "goog-downloadwhite-digest256",
     function handleEvent(aEvent) {
       do_check_eq("goog-downloadwhite-digest256", aEvent);
       run_next_test();
     });
 });
--- a/toolkit/devtools/server/actors/storage.js
+++ b/toolkit/devtools/server/actors/storage.js
@@ -1319,17 +1319,17 @@ let indexedDBHelpers = {
    */
   openWithOrigin: function(host, name) {
     let principal;
 
     if (/^(about:|chrome:)/.test(host)) {
       principal = Services.scriptSecurityManager.getSystemPrincipal();
     } else {
       let uri = Services.io.newURI(host, null, null);
-      principal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+      principal = Services.scriptSecurityManager.getCodebasePrincipal(uri);
     }
 
     return require("indexedDB").openForPrincipal(principal, name);
   },
 
     /**
    * Fetches all the databases and their metadata for the given `host`.
    */
--- a/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
+++ b/toolkit/forgetaboutsite/test/unit/test_removeDataFromDomain.js
@@ -180,19 +180,19 @@ function check_login_exists(aHost, aExis
  * @param aURI
  *        The URI to add the test permission for.
  */
 function add_permission(aURI)
 {
   check_permission_exists(aURI, false);
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(aURI, {});
+  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(aURI);
 
   pm.addFromPrincipal(principal, PERMISSION_TYPE, PERMISSION_VALUE);
   check_permission_exists(aURI, true);
 }
 
 /**
  * Checks to see if a permission exists for the given URI.
  *
@@ -200,19 +200,19 @@ function add_permission(aURI)
  *        The URI to check if a permission exists.
  * @param aExists
  *        True if the permission should exist, false otherwise.
  */
 function check_permission_exists(aURI, aExists)
 {
   let pm = Cc["@mozilla.org/permissionmanager;1"].
            getService(Ci.nsIPermissionManager);
-  let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-  let principal = ssm.createCodebasePrincipal(aURI, {});
+  let principal = Cc["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(aURI);
 
   let perm = pm.testExactPermissionFromPrincipal(principal, PERMISSION_TYPE);
   let checker = aExists ? do_check_eq : do_check_neq;
   checker(perm, PERMISSION_VALUE);
 }
 
 /**
  * Adds a content preference for the specified URI.
@@ -549,20 +549,19 @@ function test_cache_cleared()
   ForgetAboutSite.removeDataFromDomain("mozilla.org");
   do_test_pending();
 }
 
 function test_storage_cleared()
 {
   function getStorageForURI(aURI)
   {
-    let ssm = Cc["@mozilla.org/scriptsecuritymanager;1"]
-              .getService(Ci.nsIScriptSecurityManager);
-    let principal = ssm.createCodebasePrincipal(aURI, {});
-
+    let principal = Cc["@mozilla.org/scriptsecuritymanager;1"].
+                    getService(Ci.nsIScriptSecurityManager).
+                    getNoAppCodebasePrincipal(aURI);
     let dsm = Cc["@mozilla.org/dom/localStorage-manager;1"].
               getService(Ci.nsIDOMStorageManager);
     return dsm.createStorage(null, principal, "");
   }
 
   let s = [
     getStorageForURI(uri("http://mozilla.org")),
     getStorageForURI(uri("http://my.mozilla.org")),
--- a/toolkit/modules/NewTabUtils.jsm
+++ b/toolkit/modules/NewTabUtils.jsm
@@ -20,17 +20,17 @@ XPCOMUtils.defineLazyModuleGetter(this, 
 XPCOMUtils.defineLazyModuleGetter(this, "PageThumbs",
   "resource://gre/modules/PageThumbs.jsm");
 
 XPCOMUtils.defineLazyModuleGetter(this, "BinarySearch",
   "resource://gre/modules/BinarySearch.jsm");
 
 XPCOMUtils.defineLazyGetter(this, "gPrincipal", function () {
   let uri = Services.io.newURI("about:newtab", null, null);
-  return Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+  return Services.scriptSecurityManager.getNoAppCodebasePrincipal(uri);
 });
 
 XPCOMUtils.defineLazyGetter(this, "gCryptoHash", function () {
   return Cc["@mozilla.org/security/hash;1"].createInstance(Ci.nsICryptoHash);
 });
 
 XPCOMUtils.defineLazyGetter(this, "gUnicodeConverter", function () {
   let converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"]
--- a/toolkit/modules/PermissionsUtils.jsm
+++ b/toolkit/modules/PermissionsUtils.jsm
@@ -34,18 +34,18 @@ function importPrefBranch(aPrefBranch, a
         // This preference used to contain a list of hosts. For back-compat
         // reasons, we convert these hosts into http:// and https:// permissions
         // on default ports.
         try {
           let httpURI = Services.io.newURI("http://" + origin, null, null);
           let httpsURI = Services.io.newURI("https://" + origin, null, null);
 
           principals = [
-            Services.scriptSecurityManager.createCodebasePrincipal(httpURI, {}),
-            Services.scriptSecurityManager.createCodebasePrincipal(httpsURI, {})
+            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpURI),
+            Services.scriptSecurityManager.getNoAppCodebasePrincipal(httpsURI)
           ];
         } catch (e2) {}
       }
 
       for (let principal of principals) {
         try {
           Services.perms.addFromPrincipal(principal, aPermission, aAction);
         } catch (e) {}
--- a/toolkit/webapps/NativeApp.jsm
+++ b/toolkit/webapps/NativeApp.jsm
@@ -452,19 +452,20 @@ function downloadIcon(aIconURI) {
     });
 #endif
 
     // If not fetching an icon from chrome:// then we should create a
     // NoAppCodeBasePrincipal. Note, that we are still in the process of
     // installing the app, hence app.origin is not available yet and
     // therefore we can not call getAppCodebasePrincipal.
     let principal =
-      aIconURI.schemeIs("chrome") ?
-        Services.scriptSecurityManager.getSystemPrincipal() :
-        Services.scriptSecurityManager.createCodebasePrincipal(aIconURI, {});
+      aIconURI.schemeIs("chrome") ? Services.scriptSecurityManager
+                                            .getSystemPrincipal()
+                                  : Services.scriptSecurityManager
+                                            .getNoAppCodebasePrincipal(aIconURI);
 
     let channel = NetUtil.newChannel({
       uri: aIconURI,
       loadingPrincipal: principal,
       contentPolicyType: Ci.nsIContentPolicy.TYPE_IMAGE});
     let { BadCertHandler } = Cu.import("resource://gre/modules/CertUtils.jsm", {});
     // Pass true to avoid optional redirect-cert-checking behavior.
     channel.notificationCallbacks = new BadCertHandler(true);
--- a/uriloader/prefetch/OfflineCacheUpdateParent.cpp
+++ b/uriloader/prefetch/OfflineCacheUpdateParent.cpp
@@ -1,27 +1,25 @@
 /* -*- mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "OfflineCacheUpdateParent.h"
 
-#include "mozilla/BasePrincipal.h"
 #include "mozilla/dom/TabParent.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/unused.h"
 #include "nsOfflineCacheUpdate.h"
 #include "nsIApplicationCache.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsNetUtil.h"
+#include "nsContentUtils.h"
 
 using namespace mozilla::ipc;
-using mozilla::BasePrincipal;
-using mozilla::OriginAttributes;
 using mozilla::dom::TabParent;
 
 //
 // To enable logging (see prlog.h for full details):
 //
 //    set NSPR_LOG_MODULES=nsOfflineCacheUpdate:5
 //    set NSPR_LOG_FILE=offlineupdate.log
 //
@@ -88,20 +86,20 @@ OfflineCacheUpdateParent::Schedule(const
 
     nsOfflineCacheUpdateService* service =
         nsOfflineCacheUpdateService::EnsureService();
     if (!service)
         return NS_ERROR_FAILURE;
 
     bool offlinePermissionAllowed = false;
 
-    // TODO: Bug 1165466 - use OriginAttributes
-    OriginAttributes attrs(mAppId, mIsInBrowserElement);
-    nsCOMPtr<nsIPrincipal> principal =
-      BasePrincipal::CreateCodebasePrincipal(manifestURI, attrs);
+    nsCOMPtr<nsIPrincipal> principal;
+    nsContentUtils::GetSecurityManager()->
+        GetAppCodebasePrincipal(manifestURI, mAppId, mIsInBrowserElement,
+                                getter_AddRefs(principal));
 
     nsresult rv = service->OfflineAppAllowed(
         principal, nullptr, &offlinePermissionAllowed);
     NS_ENSURE_SUCCESS(rv, rv);
 
     if (!offlinePermissionAllowed)
         return NS_ERROR_DOM_SECURITY_ERR;
 
--- a/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
+++ b/uriloader/prefetch/nsOfflineCacheUpdateService.cpp
@@ -24,16 +24,17 @@
 #include "nsIDocument.h"
 #include "nsIObserverService.h"
 #include "nsIURL.h"
 #include "nsIWebProgress.h"
 #include "nsIWebNavigation.h"
 #include "nsICryptoHash.h"
 #include "nsIPermissionManager.h"
 #include "nsIPrincipal.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsNetCID.h"
 #include "nsServiceManagerUtils.h"
 #include "nsStreamUtils.h"
 #include "nsThreadUtils.h"
 #include "nsProxyRelease.h"
 #include "mozilla/Logging.h"
 #include "nsIAsyncVerifyRedirectCallback.h"
 #include "mozilla/Preferences.h"
@@ -712,30 +713,30 @@ nsOfflineCacheUpdateService::OfflineAppA
     return OfflineAppPermForPrincipal(aPrincipal, aPrefBranch, false, aAllowed);
 }
 
 NS_IMETHODIMP
 nsOfflineCacheUpdateService::OfflineAppAllowedForURI(nsIURI *aURI,
                                                      nsIPrefBranch *aPrefBranch,
                                                      bool *aAllowed)
 {
-    OriginAttributes attrs;
-    nsCOMPtr<nsIPrincipal> principal =
-        BasePrincipal::CreateCodebasePrincipal(aURI, attrs);
+    nsCOMPtr<nsIPrincipal> principal;
+    nsContentUtils::GetSecurityManager()->
+        GetNoAppCodebasePrincipal(aURI, getter_AddRefs(principal));
     return OfflineAppPermForPrincipal(principal, aPrefBranch, false, aAllowed);
 }
 
 nsresult
 nsOfflineCacheUpdateService::OfflineAppPinnedForURI(nsIURI *aDocumentURI,
                                                     nsIPrefBranch *aPrefBranch,
                                                     bool *aPinned)
 {
-    OriginAttributes attrs;
-    nsCOMPtr<nsIPrincipal> principal =
-        BasePrincipal::CreateCodebasePrincipal(aDocumentURI, attrs);
+    nsCOMPtr<nsIPrincipal> principal;
+    nsContentUtils::GetSecurityManager()->
+        GetNoAppCodebasePrincipal(aDocumentURI, getter_AddRefs(principal));
     return OfflineAppPermForPrincipal(principal, aPrefBranch, true, aPinned);
 }
 
 NS_IMETHODIMP
 nsOfflineCacheUpdateService::AllowOfflineApp(nsIDOMWindow *aWindow,
                                              nsIPrincipal *aPrincipal)
 {
     nsresult rv;