Bug 789224 - Remove principal capability and preference infrastructure. r=mrbkap
authorBobby Holley <bobbyholley@gmail.com>
Mon, 22 Oct 2012 08:29:55 +0200
changeset 111136 50d1235983d3ce037e86506054ff6cad202285a5
parent 111135 77749ba52bbf3e5e857e182577cc199b5ab38906
child 111137 6980e4e0ceecf7c3633285d4bf1d4ec4e1602b6a
push id93
push usernmatsakis@mozilla.com
push dateWed, 31 Oct 2012 21:26:57 +0000
reviewersmrbkap
bugs789224
milestone19.0a1
Bug 789224 - Remove principal capability and preference infrastructure. r=mrbkap
caps/idl/nsIPrincipal.idl
caps/include/nsPrincipal.h
caps/include/nsScriptSecurityManager.h
caps/src/nsNullPrincipal.cpp
caps/src/nsPrincipal.cpp
caps/src/nsScriptSecurityManager.cpp
caps/src/nsSystemPrincipal.cpp
--- a/caps/idl/nsIPrincipal.idl
+++ b/caps/idl/nsIPrincipal.idl
@@ -16,44 +16,20 @@ struct JSPrincipals;
 
 interface nsIURI;
 interface nsIContentSecurityPolicy;
 
 [ptr] native JSContext(JSContext);
 [ptr] native JSPrincipals(JSPrincipals);
 [ptr] native PrincipalArray(nsTArray<nsCOMPtr<nsIPrincipal> >);
 
-[scriptable, uuid(115d1081-373e-4837-8d12-d0f4874f3467)]
+[scriptable, uuid(96a92f0c-adcb-44ac-a034-37627647ec97)]
 interface nsIPrincipal : nsISerializable
 {
     /**
-     * Values of capabilities for each principal. Order is
-     * significant: if an operation is performed on a set
-     * of capabilities, the minimum is computed.
-     */
-    const short ENABLE_DENIED                = 1;
-    const short ENABLE_UNKNOWN               = 2;
-    const short ENABLE_WITH_USER_PERMISSION  = 3;
-    const short ENABLE_GRANTED               = 4;
-
-    /**
-     * Returns the security preferences associated with this principal.
-     * prefBranch will be set to the pref branch to which these preferences
-     * pertain.  id is a pseudo-unique identifier, pertaining to either the
-     * fingerprint or the origin.  subjectName is a name that identifies the
-     * entity this principal represents (may be empty).  grantedList and
-     * deniedList are space-separated lists of capabilities which were
-     * explicitly granted or denied by a pref.  isTrusted is a boolean that
-     * indicates whether this is a codebaseTrusted certificate.
-     */
-    void getPreferences(out string prefBranch, out string id,
-                        out string subjectName, out string grantedList,
-                        out string deniedList, out boolean isTrusted);
-
-    /**
      * Returns whether the other principal is equivalent to this principal.
      * Principals are considered equal if they are the same principal,
      * they have the same origin, or have the same certificate fingerprint ID
      */
     boolean equals(in nsIPrincipal other);
 
     /**
      * Like equals, but doesn't take document.domain changes into account.
@@ -75,24 +51,16 @@ interface nsIPrincipal : nsISerializable
     // happens if this principal is in our hashtable and we pass it out of the
     // security manager and someone writes to this field?  Especially if they
     // write garbage?  If we need to give someone other than the security
     // manager a way to set this (which I question, since it can increase the
     // permissions of a page) it should be a |void clearSecurityPolicy()|
     // method.
     [noscript] attribute voidPtr securityPolicy;
 
-    // XXXcaa probably should be turned into {get|set}CapabilityFlags
-    // XXXbz again, what if this lives in our hashtable and someone
-    // messes with it?  Is that OK?
-    [noscript] short canEnableCapability(in string capability);
-    [noscript] boolean isCapabilityEnabled(in string capability,
-                                           in voidPtr annotation);
-    [noscript] void enableCapability(in string capability,
-                                     inout voidPtr annotation);
     /**
      * The codebase URI to which this principal pertains.  This is
      * generally the document URI.
      */
     readonly attribute nsIURI URI;
 
     /**
      * The domain URI to which this principal pertains.
--- a/caps/include/nsPrincipal.h
+++ b/caps/include/nsPrincipal.h
@@ -27,53 +27,37 @@ public:
   nsBasePrincipal();
 
 protected:
   virtual ~nsBasePrincipal();
 
 public:
   NS_IMETHOD_(nsrefcnt) AddRef(void);
   NS_IMETHOD_(nsrefcnt) Release(void);
-  NS_IMETHOD GetPreferences(char** prefBranch, char** id, char** subjectName, char** grantedList, char** deniedList, bool* isTrusted);
   NS_IMETHOD GetSecurityPolicy(void** aSecurityPolicy);
   NS_IMETHOD SetSecurityPolicy(void* aSecurityPolicy);
-  NS_IMETHOD CanEnableCapability(const char* capability, int16_t* _retval);
-  NS_IMETHOD IsCapabilityEnabled(const char* capability, void* annotation, bool* _retval);
-  NS_IMETHOD EnableCapability(const char* capability, void** annotation);
   NS_IMETHOD GetHasCertificate(bool* aHasCertificate);
   NS_IMETHOD GetFingerprint(nsACString& aFingerprint);
   NS_IMETHOD GetPrettyName(nsACString& aPrettyName);
   NS_IMETHOD GetSubjectName(nsACString& aSubjectName);
   NS_IMETHOD GetCertificate(nsISupports** aCertificate);
   NS_IMETHOD GetCsp(nsIContentSecurityPolicy** aCsp);
   NS_IMETHOD SetCsp(nsIContentSecurityPolicy* aCsp);
 public:
 
   // Call this to ensure that this principal has a subject name, a pretty name,
   // and a cert pointer.  This method will throw if there is already a
   // different subject name or if this principal has no certificate.
   nsresult EnsureCertData(const nsACString& aSubjectName,
                           const nsACString& aPrettyName,
                           nsISupports* aCert);
 
-  enum AnnotationValue { AnnotationEnabled=1, AnnotationDisabled };
-
-  nsresult SetCapability(const char* capability, void** annotation, 
-                         AnnotationValue value);
-
   static const char sInvalid[];
 
 protected:
-  // Formerly an IDL method. Now just a protected helper.
-  nsresult SetCanEnableCapability(const char* capability, int16_t canEnable);
-
-  nsTArray< nsAutoPtr<nsHashtable> > mAnnotations;
-  nsHashtable* mCapabilities;
-  nsCString mPrefName;
-  static int32_t sCapabilitiesOrdinal;
 
   // XXXcaa This is a semi-hack.  The best solution here is to keep
   // a reference to an interface here, except there is no interface
   // that we can use yet.
   struct Certificate
   {
     Certificate(const nsACString& aFingerprint, const nsACString& aSubjectName,
                 const nsACString& aPrettyName, nsISupports* aCert)
@@ -104,17 +88,16 @@ protected:
   // Keep this is a pointer, even though it may slightly increase the
   // cost of keeping a certificate, this is a good tradeoff though since
   // it is very rare that we actually have a certificate.
   nsAutoPtr<Certificate> mCert;
 
   DomainPolicy* mSecurityPolicy;
 
   nsCOMPtr<nsIContentSecurityPolicy> mCSP;
-  bool mTrusted;
 };
 
 class nsPrincipal : public nsBasePrincipal
 {
 public:
   NS_DECL_ISUPPORTS_INHERITED
   NS_DECL_NSISERIALIZABLE
   NS_IMETHOD Equals(nsIPrincipal* other, bool* _retval);
@@ -133,36 +116,24 @@ public:
   NS_IMETHOD GetIsInBrowserElement(bool* aIsInBrowserElement);
   NS_IMETHOD GetUnknownAppId(bool* aUnknownAppId);
 #ifdef DEBUG
   virtual void dumpImpl();
 #endif
 
   nsPrincipal();
 
-  // Either Init() or InitFromPersistent() must be called before
-  // the principal is in a usable state.
+  // Init() must be called before the principal is in a usable state.
   nsresult Init(const nsACString& aCertFingerprint,
                 const nsACString& aSubjectName,
                 const nsACString& aPrettyName,
                 nsISupports* aCert,
                 nsIURI* aCodebase,
                 uint32_t aAppId,
                 bool aInMozBrowser);
-  nsresult InitFromPersistent(const char* aPrefName,
-                              const nsCString& aFingerprint,
-                              const nsCString& aSubjectName,
-                              const nsACString& aPrettyName,
-                              const char* aGrantedList,
-                              const char* aDeniedList,
-                              nsISupports* aCert,
-                              bool aIsCert,
-                              bool aTrusted,
-                              uint32_t aAppId,
-                              bool aInMozBrowser);
 
   virtual void GetScriptLocation(nsACString& aStr) MOZ_OVERRIDE;
   void SetURI(nsIURI* aURI);
 
   static bool IsPrincipalInherited(nsIURI* aURI) {
     // return true if the loadee URI has
     // the URI_INHERITS_SECURITY_CONTEXT flag set.
     bool doesInheritSecurityContext;
--- a/caps/include/nsScriptSecurityManager.h
+++ b/caps/include/nsScriptSecurityManager.h
@@ -529,32 +529,23 @@ private:
                         const char* aObjectSecurityLevel);
 
     nsresult
     Init();
 
     nsresult
     InitPrefs();
 
-    static nsresult 
-    GetPrincipalPrefNames(const char* prefBase,
-                          nsCString& grantedPref,
-                          nsCString& deniedPref,
-                          nsCString& subjectNamePref);
-
     nsresult
     InitPolicies();
 
     nsresult
     InitDomainPolicy(JSContext* cx, const char* aPolicyName,
                      DomainPolicy* aDomainPolicy);
 
-    nsresult
-    InitPrincipals(uint32_t prefCount, const char** prefNames);
-
 #ifdef DEBUG_CAPS_HACKER
     void
     PrintPolicyDB();
 #endif
 
     // JS strings we need to clean up on shutdown
     static jsid sEnabledID;
 
@@ -562,17 +553,16 @@ private:
     ScriptSecurityPrefChanged();
 
     nsObjectHashtable* mOriginToPolicyMap;
     DomainPolicy* mDefaultPolicy;
     nsObjectHashtable* mCapabilities;
 
     nsCOMPtr<nsIPrincipal> mSystemPrincipal;
     nsCOMPtr<nsIPrincipal> mSystemCertificate;
-    nsInterfaceHashtable<PrincipalKey, nsIPrincipal> mPrincipals;
     bool mPrefInitialized;
     bool mIsJavaScriptEnabled;
     bool mIsWritingPrefs;
     bool mPolicyPrefsChanged;
 
     static bool sStrictFileOriginPolicy;
 
     static nsIIOService    *sIOService;
--- a/caps/src/nsNullPrincipal.cpp
+++ b/caps/src/nsNullPrincipal.cpp
@@ -119,33 +119,16 @@ void nsNullPrincipal::dumpImpl()
 }
 #endif 
 
 /**
  * nsIPrincipal implementation
  */
 
 NS_IMETHODIMP
-nsNullPrincipal::GetPreferences(char** aPrefName, char** aID,
-                                char** aSubjectName,
-                                char** aGrantedList, char** aDeniedList,
-                                bool* aIsTrusted)
-{
-  // The null principal should never be written to preferences.
-  *aPrefName = nullptr;
-  *aID = nullptr;
-  *aSubjectName = nullptr;
-  *aGrantedList = nullptr;
-  *aDeniedList = nullptr;
-  *aIsTrusted = false;
-
-  return NS_ERROR_FAILURE; 
-}
-
-NS_IMETHODIMP
 nsNullPrincipal::Equals(nsIPrincipal *aOther, bool *aResult)
 {
   // Just equal to ourselves.  Note that nsPrincipal::Equals will return false
   // for us since we have a unique domain/origin/etc.
   *aResult = (aOther == this);
   return NS_OK;
 }
 
@@ -175,43 +158,16 @@ NS_IMETHODIMP
 nsNullPrincipal::SetSecurityPolicy(void* aSecurityPolicy)
 {
   // We don't actually do security policy caching.  And it's not like anyone
   // can set a security policy for us anyway.
   return NS_OK;
 }
 
 NS_IMETHODIMP 
-nsNullPrincipal::CanEnableCapability(const char *aCapability, 
-                                     int16_t *aResult)
-{
-  // Null principal can enable no capabilities.
-  *aResult = nsIPrincipal::ENABLE_DENIED;
-  return NS_OK;
-}
-
-NS_IMETHODIMP 
-nsNullPrincipal::IsCapabilityEnabled(const char *aCapability, 
-                                     void *aAnnotation, 
-                                     bool *aResult)
-{
-  // Nope.  No capabilities, I say!
-  *aResult = false;
-  return NS_OK;
-}
-
-NS_IMETHODIMP 
-nsNullPrincipal::EnableCapability(const char *aCapability, void **aAnnotation)
-{
-  NS_NOTREACHED("Didn't I say it?  NO CAPABILITIES!");
-  *aAnnotation = nullptr;
-  return NS_OK;
-}
-
-NS_IMETHODIMP 
 nsNullPrincipal::GetURI(nsIURI** aURI)
 {
   return NS_EnsureSafeToReturn(mURI, aURI);
 }
 
 NS_IMETHODIMP
 nsNullPrincipal::GetCsp(nsIContentSecurityPolicy** aCsp)
 {
--- a/caps/src/nsPrincipal.cpp
+++ b/caps/src/nsPrincipal.cpp
@@ -44,17 +44,16 @@ static bool URIIsImmutable(nsIURI* aURI)
   bool isMutable;
   return
     mutableObj &&
     NS_SUCCEEDED(mutableObj->GetMutable(&isMutable)) &&
     !isMutable;                               
 }
 
 // Static member variables
-int32_t nsBasePrincipal::sCapabilitiesOrdinal = 0;
 const char nsBasePrincipal::sInvalid[] = "Invalid";
 
 NS_IMETHODIMP_(nsrefcnt)
 nsBasePrincipal::AddRef()
 {
   NS_PRECONDITION(int32_t(refcount) >= 0, "illegal refcnt");
   // XXXcaa does this need to be threadsafe?  See bug 143559.
   nsrefcnt count = PR_ATOMIC_INCREMENT(&refcount);
@@ -70,36 +69,32 @@ nsBasePrincipal::Release()
   NS_LOG_RELEASE(this, count, "nsBasePrincipal");
   if (count == 0) {
     delete this;
   }
 
   return count;
 }
 
-nsBasePrincipal::nsBasePrincipal()
-  : mCapabilities(nullptr),
-    mSecurityPolicy(nullptr),
-    mTrusted(false)
+nsBasePrincipal::nsBasePrincipal() : mSecurityPolicy(nullptr)
 {
   if (!gIsObservingCodeBasePrincipalSupport) {
     nsresult rv =
       Preferences::AddBoolVarCache(&gCodeBasePrincipalSupport,
                                    "signed.applets.codebase_principal_support",
                                    false);
     gIsObservingCodeBasePrincipalSupport = NS_SUCCEEDED(rv);
     NS_WARN_IF_FALSE(gIsObservingCodeBasePrincipalSupport,
                      "Installing gCodeBasePrincipalSupport failed!");
   }
 }
 
 nsBasePrincipal::~nsBasePrincipal(void)
 {
   SetSecurityPolicy(nullptr); 
-  delete mCapabilities;
 }
 
 NS_IMETHODIMP
 nsBasePrincipal::GetSecurityPolicy(void** aSecurityPolicy)
 {
   if (mSecurityPolicy && mSecurityPolicy->IsInvalid()) 
     SetSecurityPolicy(nullptr);
   
@@ -134,204 +129,28 @@ nsBasePrincipal::CertificateEquals(nsIPr
   if (!mCert)
     return true;
 
   nsAutoCString str;
   aOther->GetFingerprint(str);
   if (!str.Equals(mCert->fingerprint))
     return false;
 
-  // If either subject name is empty, just let the result stand (so that
-  // nsScriptSecurityManager::SetCanEnableCapability works), but if they're
+  // If either subject name is empty, just let the result stand, but if they're
   // both non-empty, only claim equality if they're equal.
   if (!mCert->subjectName.IsEmpty()) {
     // Check the other principal's subject name
     aOther->GetSubjectName(str);
     return str.Equals(mCert->subjectName) || str.IsEmpty();
   }
 
   return true;
 }
 
 NS_IMETHODIMP
-nsBasePrincipal::CanEnableCapability(const char *capability, int16_t *result)
-{
-  // If this principal is marked invalid, can't enable any capabilities
-  if (mCapabilities) {
-    nsCStringKey invalidKey(sInvalid);
-    if (mCapabilities->Exists(&invalidKey)) {
-      *result = nsIPrincipal::ENABLE_DENIED;
-
-      return NS_OK;
-    }
-  }
-
-  if (!mCert && !mTrusted) {
-    // If we are a non-trusted codebase principal, capabilities can not
-    // be enabled if the user has not set the pref allowing scripts to
-    // request enhanced capabilities; however, the file: and resource:
-    // schemes are special and may be able to get extra capabilities
-    // even with the pref disabled.
-    nsCOMPtr<nsIURI> codebase;
-    GetURI(getter_AddRefs(codebase));
-    if (!gCodeBasePrincipalSupport && codebase) {
-      bool mightEnable = false;     
-      nsresult rv = codebase->SchemeIs("file", &mightEnable);
-      if (NS_FAILED(rv) || !mightEnable) {
-        rv = codebase->SchemeIs("resource", &mightEnable);
-        if (NS_FAILED(rv) || !mightEnable) {
-          *result = nsIPrincipal::ENABLE_DENIED;
-          return NS_OK;
-        }
-      }
-    }
-  }
-
-  const char *start = capability;
-  *result = nsIPrincipal::ENABLE_GRANTED;
-  for(;;) {
-    const char *space = PL_strchr(start, ' ');
-    int32_t len = space ? space - start : strlen(start);
-    nsAutoCString capString(start, len);
-    nsCStringKey key(capString);
-    int16_t value =
-      mCapabilities ? (int16_t)NS_PTR_TO_INT32(mCapabilities->Get(&key)) : 0;
-    if (value == 0 || value == nsIPrincipal::ENABLE_UNKNOWN) {
-      // We don't know whether we can enable this capability,
-      // so we should ask the user.
-      value = nsIPrincipal::ENABLE_WITH_USER_PERMISSION;
-    }
-
-    if (value < *result) {
-      *result = value;
-    }
-
-    if (!space) {
-      break;
-    }
-
-    start = space + 1;
-  }
-
-  return NS_OK;
-}
-
-nsresult
-nsBasePrincipal::SetCanEnableCapability(const char *capability,
-                                        int16_t canEnable)
-{
-  // If this principal is marked invalid, can't enable any capabilities
-  if (!mCapabilities) {
-    mCapabilities = new nsHashtable(7);  // XXXbz gets bumped up to 16 anyway
-    NS_ENSURE_TRUE(mCapabilities, NS_ERROR_OUT_OF_MEMORY);
-  }
-
-  nsCStringKey invalidKey(sInvalid);
-  if (mCapabilities->Exists(&invalidKey)) {
-    return NS_OK;
-  }
-
-  if (PL_strcmp(capability, sInvalid) == 0) {
-    mCapabilities->Reset();
-  }
-
-  const char *start = capability;
-  for(;;) {
-    const char *space = PL_strchr(start, ' ');
-    int len = space ? space - start : strlen(start);
-    nsAutoCString capString(start, len);
-    nsCStringKey key(capString);
-    mCapabilities->Put(&key, NS_INT32_TO_PTR(canEnable));
-    if (!space) {
-      break;
-    }
-
-    start = space + 1;
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsBasePrincipal::IsCapabilityEnabled(const char *capability, void *annotation,
-                                     bool *result)
-{
-  *result = false;
-  nsHashtable *ht = (nsHashtable *) annotation;
-  if (!ht) {
-    return NS_OK;
-  }
-  const char *start = capability;
-  for(;;) {
-    const char *space = PL_strchr(start, ' ');
-    int len = space ? space - start : strlen(start);
-    nsAutoCString capString(start, len);
-    nsCStringKey key(capString);
-    *result = (ht->Get(&key) == (void *) AnnotationEnabled);
-    if (!*result) {
-      // If any single capability is not enabled, then return false.
-      return NS_OK;
-    }
-
-    if (!space) {
-      return NS_OK;
-    }
-
-    start = space + 1;
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsBasePrincipal::EnableCapability(const char *capability, void **annotation)
-{
-  return SetCapability(capability, annotation, AnnotationEnabled);
-}
-
-nsresult
-nsBasePrincipal::SetCapability(const char *capability, void **annotation,
-                               AnnotationValue value)
-{
-  if (*annotation == nullptr) {
-    nsHashtable* ht = new nsHashtable(5);
-
-    if (!ht) {
-       return NS_ERROR_OUT_OF_MEMORY;
-     }
-
-    // This object owns its annotations. Save them so we can release
-    // them when we destroy this object.
-    if (!mAnnotations.AppendElement(ht)) {
-      delete ht;
-      return NS_ERROR_OUT_OF_MEMORY;
-    }
-
-    *annotation = ht;
-  }
-
-  const char *start = capability;
-  for(;;) {
-    const char *space = PL_strchr(start, ' ');
-    int len = space ? space - start : strlen(start);
-    nsAutoCString capString(start, len);
-    nsCStringKey key(capString);
-    nsHashtable *ht = static_cast<nsHashtable *>(*annotation);
-    ht->Put(&key, (void *) value);
-    if (!space) {
-      break;
-    }
-
-    start = space + 1;
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
 nsBasePrincipal::GetHasCertificate(bool* aResult)
 {
   *aResult = (mCert != nullptr);
 
   return NS_OK;
 }
 
 nsresult
@@ -428,182 +247,16 @@ nsBasePrincipal::EnsureCertData(const ns
   }
 
   mCert->subjectName = aSubjectName;
   mCert->prettyName = aPrettyName;
   mCert->cert = aCert;
   return NS_OK;
 }
 
-struct CapabilityList
-{
-  nsCString* granted;
-  nsCString* denied;
-};
-
-static bool
-AppendCapability(nsHashKey *aKey, void *aData, void *capListPtr)
-{
-  CapabilityList* capList = (CapabilityList*)capListPtr;
-  int16_t value = (int16_t)NS_PTR_TO_INT32(aData);
-  nsCStringKey* key = (nsCStringKey *)aKey;
-  if (value == nsIPrincipal::ENABLE_GRANTED) {
-    capList->granted->Append(key->GetString(), key->GetStringLength());
-    capList->granted->Append(' ');
-  }
-  else if (value == nsIPrincipal::ENABLE_DENIED) {
-    capList->denied->Append(key->GetString(), key->GetStringLength());
-    capList->denied->Append(' ');
-  }
-
-  return true;
-}
-
-NS_IMETHODIMP
-nsBasePrincipal::GetPreferences(char** aPrefName, char** aID,
-                                char** aSubjectName,
-                                char** aGrantedList, char** aDeniedList,
-                                bool* aIsTrusted)
-{
-  if (mPrefName.IsEmpty()) {
-    if (mCert) {
-      mPrefName.Assign("capability.principal.certificate.p");
-    }
-    else {
-      mPrefName.Assign("capability.principal.codebase.p");
-    }
-
-    mPrefName.AppendInt(sCapabilitiesOrdinal++);
-    mPrefName.Append(".id");
-  }
-
-  *aPrefName = nullptr;
-  *aID = nullptr;
-  *aSubjectName = nullptr;
-  *aGrantedList = nullptr;
-  *aDeniedList = nullptr;
-  *aIsTrusted = mTrusted;
-
-  char *prefName = nullptr;
-  char *id = nullptr;
-  char *subjectName = nullptr;
-  char *granted = nullptr;
-  char *denied = nullptr;
-
-  //-- Preference name
-  prefName = ToNewCString(mPrefName);
-  if (!prefName) {
-    return NS_ERROR_OUT_OF_MEMORY;
-  }
-
-  //-- ID
-  nsresult rv = NS_OK;
-  if (mCert) {
-    id = ToNewCString(mCert->fingerprint);
-    if (!id) {
-      rv = NS_ERROR_OUT_OF_MEMORY;
-    }
-  }
-  else {
-    rv = GetOrigin(&id);
-  }
-
-  if (NS_FAILED(rv)) {
-    nsMemory::Free(prefName);
-    return rv;
-  }
-
-  if (mCert) {
-    subjectName = ToNewCString(mCert->subjectName);
-  } else {
-    subjectName = ToNewCString(EmptyCString());
-  }
-
-  if (!subjectName) {
-    nsMemory::Free(prefName);
-    nsMemory::Free(id);
-    return NS_ERROR_OUT_OF_MEMORY;
-  }
-
-  //-- Capabilities
-  nsAutoCString grantedListStr, deniedListStr;
-  if (mCapabilities) {
-    CapabilityList capList = CapabilityList();
-    capList.granted = &grantedListStr;
-    capList.denied = &deniedListStr;
-    mCapabilities->Enumerate(AppendCapability, (void*)&capList);
-  }
-
-  if (!grantedListStr.IsEmpty()) {
-    grantedListStr.Truncate(grantedListStr.Length() - 1);
-    granted = ToNewCString(grantedListStr);
-    if (!granted) {
-      nsMemory::Free(prefName);
-      nsMemory::Free(id);
-      nsMemory::Free(subjectName);
-      return NS_ERROR_OUT_OF_MEMORY;
-    }
-  }
-
-  if (!deniedListStr.IsEmpty()) {
-    deniedListStr.Truncate(deniedListStr.Length() - 1);
-    denied = ToNewCString(deniedListStr);
-    if (!denied) {
-      nsMemory::Free(prefName);
-      nsMemory::Free(id);
-      nsMemory::Free(subjectName);
-      if (granted) {
-        nsMemory::Free(granted);
-      }
-      return NS_ERROR_OUT_OF_MEMORY;
-    }
-  }
-
-  *aPrefName = prefName;
-  *aID = id;
-  *aSubjectName = subjectName;
-  *aGrantedList = granted;
-  *aDeniedList = denied;
-
-  return NS_OK;
-}
-
-static nsresult
-ReadAnnotationEntry(nsIObjectInputStream* aStream, nsHashKey** aKey,
-                    void** aData)
-{
-  nsresult rv;
-  nsCStringKey* key = new nsCStringKey(aStream, &rv);
-  if (!key)
-    return NS_ERROR_OUT_OF_MEMORY;
-
-  if (NS_FAILED(rv)) {
-    delete key;
-    return rv;
-  }
-
-  uint32_t value;
-  rv = aStream->Read32(&value);
-  if (NS_FAILED(rv)) {
-    delete key;
-    return rv;
-  }
-
-  *aKey = key;
-  *aData = (void*) value;
-  return NS_OK;
-}
-
-static void
-FreeAnnotationEntry(nsIObjectInputStream* aStream, nsHashKey* aKey,
-                    void* aData)
-{
-  delete aKey;
-}
-
 #ifdef DEBUG
 void nsPrincipal::dumpImpl()
 {
   nsAutoCString str;
   GetScriptLocation(str);
   fprintf(stderr, "nsPrincipal (%p) = %s\n", static_cast<void*>(this), str.get());
 }
 #endif 
@@ -999,85 +652,16 @@ nsPrincipal::SetDomain(nsIURI* aDomain)
   NS_ENSURE_TRUE(success, NS_ERROR_FAILURE);
   success = js::RecomputeWrappers(cx, js::CompartmentsWithPrincipals(principals),
                                   js::ContentCompartmentsOnly());
   NS_ENSURE_TRUE(success, NS_ERROR_FAILURE);
 
   return NS_OK;
 }
 
-nsresult
-nsPrincipal::InitFromPersistent(const char* aPrefName,
-                                const nsCString& aToken,
-                                const nsCString& aSubjectName,
-                                const nsACString& aPrettyName,
-                                const char* aGrantedList,
-                                const char* aDeniedList,
-                                nsISupports* aCert,
-                                bool aIsCert,
-                                bool aTrusted,
-                                uint32_t aAppId,
-                                bool aInMozBrowser)
-{
-  NS_PRECONDITION(!mCapabilities || mCapabilities->Count() == 0,
-                  "mCapabilities was already initialized?");
-  NS_PRECONDITION(mAnnotations.Length() == 0,
-                  "mAnnotations was already initialized?");
-  NS_PRECONDITION(!mInitialized, "We were already initialized?");
-
-  mInitialized = true;
-
-  mAppId = aAppId;
-  mInMozBrowser = aInMozBrowser;
-
-  nsresult rv;
-  if (aIsCert) {
-    rv = SetCertificate(aToken, aSubjectName, aPrettyName, aCert);
-    
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-  }
-  else {
-    rv = NS_NewURI(getter_AddRefs(mCodebase), aToken, nullptr);
-    if (NS_FAILED(rv)) {
-      NS_ERROR("Malformed URI in capability.principal preference.");
-      return rv;
-    }
-
-    NS_TryToSetImmutable(mCodebase);
-    mCodebaseImmutable = URIIsImmutable(mCodebase);
-
-    mTrusted = aTrusted;
-  }
-
-  //-- Save the preference name
-  mPrefName = aPrefName;
-
-  const char* ordinalBegin = PL_strpbrk(aPrefName, "1234567890");
-  if (ordinalBegin) {
-    int n = atoi(ordinalBegin);
-    if (sCapabilitiesOrdinal <= n) {
-      sCapabilitiesOrdinal = n + 1;
-    }
-  }
-
-  //-- Store the capabilities
-  rv = NS_OK;
-  if (aGrantedList) {
-    rv = SetCanEnableCapability(aGrantedList, nsIPrincipal::ENABLE_GRANTED);
-  }
-
-  if (NS_SUCCEEDED(rv) && aDeniedList) {
-    rv = SetCanEnableCapability(aDeniedList, nsIPrincipal::ENABLE_DENIED);
-  }
-
-  return rv;
-}
-
 NS_IMETHODIMP
 nsPrincipal::GetExtendedOrigin(nsACString& aExtendedOrigin)
 {
   MOZ_ASSERT(mAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
 
   mozilla::GetExtendedOrigin(mCodebase, mAppId, mInMozBrowser, aExtendedOrigin);
   return NS_OK;
 }
@@ -1116,43 +700,18 @@ nsPrincipal::GetUnknownAppId(bool* aUnkn
 {
   *aUnknownAppId = mAppId == nsIScriptSecurityManager::UNKNOWN_APP_ID;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPrincipal::Read(nsIObjectInputStream* aStream)
 {
-  bool hasCapabilities;
-  nsresult rv = aStream->ReadBoolean(&hasCapabilities);
-  if (NS_SUCCEEDED(rv) && hasCapabilities) {
-    mCapabilities = new nsHashtable(aStream, ReadAnnotationEntry,
-                                    FreeAnnotationEntry, &rv);
-    NS_ENSURE_TRUE(mCapabilities, NS_ERROR_OUT_OF_MEMORY);
-  }
-
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  rv = NS_ReadOptionalCString(aStream, mPrefName);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  const char* ordinalBegin = PL_strpbrk(mPrefName.get(), "1234567890");
-  if (ordinalBegin) {
-    int n = atoi(ordinalBegin);
-    if (sCapabilitiesOrdinal <= n) {
-      sCapabilitiesOrdinal = n + 1;
-    }
-  }
-
   bool haveCert;
-  rv = aStream->ReadBoolean(&haveCert);
+  nsresult rv = aStream->ReadBoolean(&haveCert);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   nsCString fingerprint;
   nsCString subjectName;
   nsCString prettyName;
   nsCOMPtr<nsISupports> cert;
@@ -1198,56 +757,25 @@ nsPrincipal::Read(nsIObjectInputStream* 
   rv = aStream->ReadBoolean(&inMozBrowser);
   NS_ENSURE_SUCCESS(rv, rv);
 
   rv = Init(fingerprint, subjectName, prettyName, cert, codebase, appId, inMozBrowser);
   NS_ENSURE_SUCCESS(rv, rv);
 
   SetDomain(domain);
 
-  rv = aStream->ReadBoolean(&mTrusted);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
   return NS_OK;
 }
 
-static nsresult
-WriteScalarValue(nsIObjectOutputStream* aStream, void* aData)
-{
-  uint32_t value = NS_PTR_TO_INT32(aData);
-
-  return aStream->Write32(value);
-}
-
 NS_IMETHODIMP
 nsPrincipal::Write(nsIObjectOutputStream* aStream)
 {
   NS_ENSURE_STATE(mCert || mCodebase);
-  
-  // mAnnotations is transient data associated to specific JS stack frames.  We
-  // don't want to serialize that.
-  
-  bool hasCapabilities = (mCapabilities && mCapabilities->Count() > 0);
-  nsresult rv = aStream->WriteBoolean(hasCapabilities);
-  if (NS_SUCCEEDED(rv) && hasCapabilities) {
-    rv = mCapabilities->Write(aStream, WriteScalarValue);
-  }
 
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  rv = NS_WriteOptionalStringZ(aStream, mPrefName.get());
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  rv = aStream->WriteBoolean(mCert != nullptr);
+  nsresult rv = aStream->WriteBoolean(mCert != nullptr);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   if (mCert) {
     NS_ENSURE_STATE(mCert->cert);
     
     rv = NS_WriteOptionalStringZ(aStream, mCert->fingerprint.get());
@@ -1286,21 +814,16 @@ nsPrincipal::Write(nsIObjectOutputStream
                                       true);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   aStream->Write32(mAppId);
   aStream->WriteBoolean(mInMozBrowser);
 
-  rv = aStream->Write8(mTrusted);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
   // mCodebaseImmutable and mDomainImmutable will be recomputed based
   // on the deserialized URIs in Read().
 
   return NS_OK;
 }
 
 uint16_t
 nsPrincipal::GetAppStatus()
--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@@ -1888,85 +1888,16 @@ nsScriptSecurityManager::DoGetCertificat
     nsRefPtr<nsPrincipal> certificate = new nsPrincipal();
     if (!certificate)
         return NS_ERROR_OUT_OF_MEMORY;
 
     nsresult rv = certificate->Init(aCertFingerprint, aSubjectName,
                                     aPrettyName, aCertificate, aURI,
                                     UNKNOWN_APP_ID, false);
     NS_ENSURE_SUCCESS(rv, rv);
-
-    // Check to see if we already have this principal.
-    nsCOMPtr<nsIPrincipal> fromTable;
-    mPrincipals.Get(certificate, getter_AddRefs(fromTable));
-    if (fromTable) {
-        // Bingo.  We found the certificate in the table, which means
-        // that it has escalated privileges.
-
-        if (aModifyTable) {
-            // Make sure this principal has names, so if we ever go to save it
-            // we'll save them.  If we get a name mismatch here we'll throw,
-            // but that's desirable.
-            rv = static_cast<nsPrincipal*>
-                            (static_cast<nsIPrincipal*>(fromTable))
-                ->EnsureCertData(aSubjectName, aPrettyName, aCertificate);
-            if (NS_FAILED(rv)) {
-                // We have a subject name mismatch for the same cert id.
-                // Hand back the |certificate| object we created and don't give
-                // it any rights from the table.
-                NS_ADDREF(*result = certificate);
-                return NS_OK;
-            }                
-        }
-        
-        if (!aURI) {
-            // We were asked to just get the base certificate, so output
-            // what we have in the table.
-            certificate = static_cast<nsPrincipal*>
-                                     (static_cast<nsIPrincipal*>
-                                                 (fromTable));
-        } else {
-            // We found a certificate and now need to install a codebase
-            // on it.  We don't want to modify the principal in the hash
-            // table, so create a new principal and clone the pertinent
-            // things.
-            nsXPIDLCString prefName;
-            nsXPIDLCString id;
-            nsXPIDLCString subjectName;
-            nsXPIDLCString granted;
-            nsXPIDLCString denied;
-            bool isTrusted;
-            rv = fromTable->GetPreferences(getter_Copies(prefName),
-                                           getter_Copies(id),
-                                           getter_Copies(subjectName),
-                                           getter_Copies(granted),
-                                           getter_Copies(denied),
-                                           &isTrusted);
-            // XXXbz assert something about subjectName and aSubjectName here?
-            if (NS_SUCCEEDED(rv)) {
-                NS_ASSERTION(!isTrusted, "Shouldn't have isTrusted true here");
-                
-                certificate = new nsPrincipal();
-                if (!certificate)
-                    return NS_ERROR_OUT_OF_MEMORY;
-
-                rv = certificate->InitFromPersistent(prefName, id,
-                                                     subjectName, aPrettyName,
-                                                     granted, denied,
-                                                     aCertificate,
-                                                     true, false,
-                                                     UNKNOWN_APP_ID, false);
-                if (NS_FAILED(rv))
-                    return rv;
-                
-                certificate->SetURI(aURI);
-            }
-        }
-    }
-
     NS_ADDREF(*result = certificate);
 
     return rv;
 }
 
 nsresult
 nsScriptSecurityManager::CreateCodebasePrincipal(nsIURI* aURI, uint32_t aAppId,
                                                  bool aInMozBrowser,
@@ -2065,62 +1996,16 @@ nsScriptSecurityManager::GetCodebasePrin
     if (NS_FAILED(rv) || inheritsPrincipal) {
         return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, result);
     }
 
     nsCOMPtr<nsIPrincipal> principal;
     rv = CreateCodebasePrincipal(aURI, aAppId, aInMozBrowser,
                                  getter_AddRefs(principal));
     NS_ENSURE_SUCCESS(rv, rv);
-
-    if (mPrincipals.Count() > 0)
-    {
-        //-- Check to see if we already have this principal.
-        nsCOMPtr<nsIPrincipal> fromTable;
-        mPrincipals.Get(principal, getter_AddRefs(fromTable));
-        if (fromTable) {
-            // We found an existing codebase principal.  But it might have a
-            // generic codebase for this origin on it.  Install our particular
-            // codebase.
-            // XXXbz this is kinda similar to the code in
-            // GetCertificatePrincipal, but just ever so slightly different.
-            // Oh, well.
-            nsXPIDLCString prefName;
-            nsXPIDLCString id;
-            nsXPIDLCString subjectName;
-            nsXPIDLCString granted;
-            nsXPIDLCString denied;
-            bool isTrusted;
-            rv = fromTable->GetPreferences(getter_Copies(prefName),
-                                           getter_Copies(id),
-                                           getter_Copies(subjectName),
-                                           getter_Copies(granted),
-                                           getter_Copies(denied),
-                                           &isTrusted);
-            if (NS_SUCCEEDED(rv)) {
-                nsRefPtr<nsPrincipal> codebase = new nsPrincipal();
-                if (!codebase)
-                    return NS_ERROR_OUT_OF_MEMORY;
-
-                rv = codebase->InitFromPersistent(prefName, id,
-                                                  subjectName, EmptyCString(),
-                                                  granted, denied,
-                                                  nullptr, false,
-                                                  isTrusted,
-                                                  aAppId,
-                                                  aInMozBrowser);
-                NS_ENSURE_SUCCESS(rv, rv);
-
-                codebase->SetURI(aURI);
-                principal = codebase;
-            }
-
-        }
-    }
-
     NS_IF_ADDREF(*result = principal);
 
     return NS_OK;
 }
 
 NS_IMETHODIMP
 nsScriptSecurityManager::GetPrincipalFromContext(JSContext *cx,
                                                  nsIPrincipal **result)
@@ -2713,24 +2598,22 @@ nsScriptSecurityManager::AsyncOnChannelR
 
 
 /////////////////////////////////////
 // Method implementing nsIObserver //
 /////////////////////////////////////
 const char sJSEnabledPrefName[] = "javascript.enabled";
 const char sFileOriginPolicyPrefName[] =
     "security.fileuri.strict_origin_policy";
-static const char sPrincipalPrefix[] = "capability.principal";
 static const char sPolicyPrefix[] = "capability.policy.";
 
 static const char* kObservedPrefs[] = {
   sJSEnabledPrefName,
   sFileOriginPolicyPrefName,
   sPolicyPrefix,
-  sPrincipalPrefix,
   nullptr
 };
 
 
 NS_IMETHODIMP
 nsScriptSecurityManager::Observe(nsISupports* aObject, const char* aTopic,
                                  const PRUnichar* aMessage)
 {
@@ -2745,29 +2628,16 @@ nsScriptSecurityManager::Observe(nsISupp
     {
         ScriptSecurityPrefChanged();
     }
     else if (PL_strncmp(message, sPolicyPrefix, sizeof(sPolicyPrefix)-1) == 0)
     {
         // This will force re-initialization of the pref table
         mPolicyPrefsChanged = true;
     }
-    else if ((PL_strncmp(message, sPrincipalPrefix, sizeof(sPrincipalPrefix)-1) == 0) &&
-             !mIsWritingPrefs)
-    {
-        static const char id[] = "id";
-        char* lastDot = PL_strrchr(message, '.');
-        //-- This check makes sure the string copy below doesn't overwrite its bounds
-        if(PL_strlen(lastDot) >= sizeof(id))
-        {
-            PL_strcpy(lastDot + 1, id);
-            const char** idPrefArray = (const char**)&message;
-            rv = InitPrincipals(1, idPrefArray);
-        }
-    }
     return rv;
 }
 
 /////////////////////////////////////////////
 // Constructor, Destructor, Initialization //
 /////////////////////////////////////////////
 nsScriptSecurityManager::nsScriptSecurityManager(void)
     : mOriginToPolicyMap(nullptr),
@@ -2776,17 +2646,16 @@ nsScriptSecurityManager::nsScriptSecurit
       mPrefInitialized(false),
       mIsJavaScriptEnabled(false),
       mIsWritingPrefs(false),
       mPolicyPrefsChanged(true)
 {
     MOZ_STATIC_ASSERT(sizeof(intptr_t) == sizeof(void*),
                       "intptr_t and void* have different lengths on this platform. "
                       "This may cause a security failure with the SecurityLevel union.");
-    mPrincipals.Init(31);
 }
 
 nsresult nsScriptSecurityManager::Init()
 {
     nsXPConnect* xpconnect = nsXPConnect::GetXPConnect();
      if (!xpconnect)
         return NS_ERROR_FAILURE;
 
@@ -3209,155 +3078,16 @@ nsScriptSecurityManager::InitDomainPolic
     }
 
     NS_FREE_XPCOM_ALLOCATED_POINTER_ARRAY(prefCount, prefNames);
     if (currentPref < prefCount) // Loop exited early because of out-of-memory error
         return NS_ERROR_OUT_OF_MEMORY;
     return NS_OK;
 }
 
-
-// XXXbz We should really just get a prefbranch to handle this...
-nsresult
-nsScriptSecurityManager::GetPrincipalPrefNames(const char* prefBase,
-                                               nsCString& grantedPref,
-                                               nsCString& deniedPref,
-                                               nsCString& subjectNamePref)
-{
-    char* lastDot = PL_strrchr(prefBase, '.');
-    if (!lastDot) return NS_ERROR_FAILURE;
-    int32_t prefLen = lastDot - prefBase + 1;
-
-    grantedPref.Assign(prefBase, prefLen);
-    deniedPref.Assign(prefBase, prefLen);
-    subjectNamePref.Assign(prefBase, prefLen);
-
-#define GRANTED "granted"
-#define DENIED "denied"
-#define SUBJECTNAME "subjectName"
-
-    grantedPref.AppendLiteral(GRANTED);
-    if (grantedPref.Length() != prefLen + sizeof(GRANTED) - 1) {
-        return NS_ERROR_OUT_OF_MEMORY;
-    }
-
-    deniedPref.AppendLiteral(DENIED);
-    if (deniedPref.Length() != prefLen + sizeof(DENIED) - 1) {
-        return NS_ERROR_OUT_OF_MEMORY;
-    }
-
-    subjectNamePref.AppendLiteral(SUBJECTNAME);
-    if (subjectNamePref.Length() != prefLen + sizeof(SUBJECTNAME) - 1) {
-        return NS_ERROR_OUT_OF_MEMORY;
-    }
-
-#undef SUBJECTNAME
-#undef DENIED
-#undef GRANTED
-    
-    return NS_OK;
-}
-
-nsresult
-nsScriptSecurityManager::InitPrincipals(uint32_t aPrefCount, const char** aPrefNames)
-{
-    /* This is the principal preference syntax:
-     * capability.principal.[codebase|codebaseTrusted|certificate].<name>.[id|granted|denied]
-     * For example:
-     * user_pref("capability.principal.certificate.p1.id","12:34:AB:CD");
-     * user_pref("capability.principal.certificate.p1.granted","Capability1 Capability2");
-     * user_pref("capability.principal.certificate.p1.denied","Capability3");
-     */
-
-    /* codebaseTrusted means a codebase principal that can enable capabilities even if
-     * codebase principals are disabled. Don't use trustedCodebase except with unspoofable
-     * URLs such as HTTPS URLs.
-     */
-
-    static const char idSuffix[] = ".id";
-    for (uint32_t c = 0; c < aPrefCount; c++)
-    {
-        int32_t prefNameLen = PL_strlen(aPrefNames[c]) - 
-            (ArrayLength(idSuffix) - 1);
-        if (PL_strcasecmp(aPrefNames[c] + prefNameLen, idSuffix) != 0)
-            continue;
-
-        nsAdoptingCString id = Preferences::GetCString(aPrefNames[c]);
-        if (!id) {
-            return NS_ERROR_FAILURE;
-        }
-
-        nsAutoCString grantedPrefName;
-        nsAutoCString deniedPrefName;
-        nsAutoCString subjectNamePrefName;
-        nsresult rv = GetPrincipalPrefNames(aPrefNames[c],
-                                            grantedPrefName,
-                                            deniedPrefName,
-                                            subjectNamePrefName);
-        if (rv == NS_ERROR_OUT_OF_MEMORY)
-            return rv;
-        if (NS_FAILED(rv))
-            continue;
-
-        nsAdoptingCString grantedList =
-            Preferences::GetCString(grantedPrefName.get());
-        nsAdoptingCString deniedList =
-            Preferences::GetCString(deniedPrefName.get());
-        nsAdoptingCString subjectName =
-            Preferences::GetCString(subjectNamePrefName.get());
-
-        //-- Delete prefs if their value is the empty string
-        if (id.IsEmpty() || (grantedList.IsEmpty() && deniedList.IsEmpty()))
-        {
-            Preferences::ClearUser(aPrefNames[c]);
-            Preferences::ClearUser(grantedPrefName.get());
-            Preferences::ClearUser(deniedPrefName.get());
-            Preferences::ClearUser(subjectNamePrefName.get());
-            continue;
-        }
-
-        //-- Create a principal based on the prefs
-        static const char certificateName[] = "capability.principal.certificate";
-        static const char codebaseName[] = "capability.principal.codebase";
-        static const char codebaseTrustedName[] = "capability.principal.codebaseTrusted";
-
-        bool isCert = false;
-        bool isTrusted = false;
-        
-        if (PL_strncmp(aPrefNames[c], certificateName,
-                       sizeof(certificateName) - 1) == 0)
-        {
-            isCert = true;
-        }
-        else if (PL_strncmp(aPrefNames[c], codebaseName,
-                            sizeof(codebaseName) - 1) == 0)
-        {
-            isTrusted = (PL_strncmp(aPrefNames[c], codebaseTrustedName,
-                                    sizeof(codebaseTrustedName) - 1) == 0);
-        }
-        else
-        {
-          NS_ERROR("Not a codebase or a certificate?!");
-        }
-
-        nsRefPtr<nsPrincipal> newPrincipal = new nsPrincipal();
-        if (!newPrincipal)
-            return NS_ERROR_OUT_OF_MEMORY;
-
-        rv = newPrincipal->InitFromPersistent(aPrefNames[c], id, subjectName,
-                                              EmptyCString(),
-                                              grantedList, deniedList, nullptr, 
-                                              isCert, isTrusted, UNKNOWN_APP_ID,
-                                              false);
-        if (NS_SUCCEEDED(rv))
-            mPrincipals.Put(newPrincipal, newPrincipal);
-    }
-    return NS_OK;
-}
-
 inline void
 nsScriptSecurityManager::ScriptSecurityPrefChanged()
 {
     // JavaScript defaults to enabled in failure cases.
     mIsJavaScriptEnabled = true;
 
     sStrictFileOriginPolicy = true;
 
@@ -3373,39 +3103,27 @@ nsScriptSecurityManager::ScriptSecurityP
 
     sStrictFileOriginPolicy =
         Preferences::GetBool(sFileOriginPolicyPrefName, false);
 }
 
 nsresult
 nsScriptSecurityManager::InitPrefs()
 {
-    nsresult rv;
     nsIPrefBranch* branch = Preferences::GetRootBranch();
     NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
 
     mPrefInitialized = true;
 
     // Set the initial value of the "javascript.enabled" prefs
     ScriptSecurityPrefChanged();
 
     // set observer callbacks in case the value of the prefs change
     Preferences::AddStrongObservers(this, kObservedPrefs);
 
-    uint32_t prefCount;
-    char** prefNames;
-    //-- Initialize the principals database from prefs
-    rv = branch->GetChildList(sPrincipalPrefix, &prefCount, &prefNames);
-    if (NS_SUCCEEDED(rv) && prefCount > 0)
-    {
-        rv = InitPrincipals(prefCount, (const char**)prefNames);
-        NS_FREE_XPCOM_ALLOCATED_POINTER_ARRAY(prefCount, prefNames);
-        NS_ENSURE_SUCCESS(rv, rv);
-    }
-
     return NS_OK;
 }
 
 namespace mozilla {
 
 void
 GetExtendedOrigin(nsIURI* aURI, uint32_t aAppId, bool aInMozBrowser,
                   nsACString& aExtendedOrigin)
--- a/caps/src/nsSystemPrincipal.cpp
+++ b/caps/src/nsSystemPrincipal.cpp
@@ -66,33 +66,16 @@ void nsSystemPrincipal::dumpImpl()
 #endif 
 
 
 ///////////////////////////////////////
 // Methods implementing nsIPrincipal //
 ///////////////////////////////////////
 
 NS_IMETHODIMP
-nsSystemPrincipal::GetPreferences(char** aPrefName, char** aID,
-                                  char** aSubjectName,
-                                  char** aGrantedList, char** aDeniedList,
-                                  bool* aIsTrusted)
-{
-    // The system principal should never be streamed out
-    *aPrefName = nullptr;
-    *aID = nullptr;
-    *aSubjectName = nullptr;
-    *aGrantedList = nullptr;
-    *aDeniedList = nullptr;
-    *aIsTrusted = false;
-
-    return NS_ERROR_FAILURE; 
-}
-
-NS_IMETHODIMP
 nsSystemPrincipal::Equals(nsIPrincipal *other, bool *result)
 {
     *result = (other == this);
     return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSystemPrincipal::EqualsIgnoringDomain(nsIPrincipal *other, bool *result)
@@ -123,41 +106,16 @@ nsSystemPrincipal::CheckMayLoad(nsIURI* 
 NS_IMETHODIMP
 nsSystemPrincipal::GetHashValue(uint32_t *result)
 {
     *result = NS_PTR_TO_INT32(this);
     return NS_OK;
 }
 
 NS_IMETHODIMP 
-nsSystemPrincipal::CanEnableCapability(const char *capability, 
-                                       int16_t *result)
-{
-    // System principal can enable all capabilities.
-    *result = nsIPrincipal::ENABLE_GRANTED;
-    return NS_OK;
-}
-
-NS_IMETHODIMP 
-nsSystemPrincipal::IsCapabilityEnabled(const char *capability, 
-                                       void *annotation, 
-                                       bool *result)
-{
-    *result = true;
-    return NS_OK;
-}
-
-NS_IMETHODIMP 
-nsSystemPrincipal::EnableCapability(const char *capability, void **annotation)
-{
-    *annotation = nullptr;
-    return NS_OK;
-}
-
-NS_IMETHODIMP 
 nsSystemPrincipal::GetURI(nsIURI** aURI)
 {
     *aURI = nullptr;
     return NS_OK;
 }
 
 NS_IMETHODIMP 
 nsSystemPrincipal::GetOrigin(char** aOrigin)