From 8574d2db426889903c3ce0f647f4b9940de7e1c0 Mon Sep 17 00:00:00 2001
From: Josh Matthews <josh@joshmatthews.net>
Date: Wed, 12 Dec 2012 10:40:33 -0500
Subject: [PATCH] Bug 782542 - Secure necko IPDL usage. r=ted,jduell
 a=blocking-b2g

---
 .../test_child_process_shutdown_message.html  |   8 +
 .../templates/src/crashtests/crashtests.list  |   2 +-
 docshell/base/LoadContext.cpp                 |  12 +-
 docshell/base/LoadContext.h                   |  17 +-
 .../mochitest/browserElementTestHelpers.js    |  15 ++
 dom/devicestorage/ipc/test_ipc.html           |   3 +
 dom/indexedDB/ipc/test_ipc.html               |   3 +
 dom/indexedDB/test/file_app_isolation.js      |   7 +-
 dom/ipc/PBrowser.ipdl                         |   3 -
 dom/ipc/TabChild.cpp                          |   2 -
 dom/ipc/TabChild.h                            |   2 -
 dom/ipc/TabParent.cpp                         |   8 +-
 dom/ipc/TabParent.h                           |   2 -
 netwerk/cookie/CookieServiceChild.cpp         |  26 ++-
 netwerk/cookie/CookieServiceParent.cpp        |  65 +++++---
 netwerk/cookie/CookieServiceParent.h          |   7 +-
 netwerk/cookie/PCookieService.ipdl            |   7 +-
 netwerk/ipc/NeckoChild.cpp                    |   6 +-
 netwerk/ipc/NeckoChild.h                      |   5 +-
 netwerk/ipc/NeckoParent.cpp                   | 149 ++++++++++++++++--
 netwerk/ipc/NeckoParent.h                     |  35 +++-
 netwerk/ipc/PNecko.ipdl                       |   4 +-
 netwerk/protocol/ftp/FTPChannelChild.cpp      |  31 +++-
 netwerk/protocol/ftp/FTPChannelParent.cpp     |  21 ++-
 netwerk/protocol/ftp/FTPChannelParent.h       |   8 +-
 netwerk/protocol/ftp/PFTPChannel.ipdl         |   4 +-
 netwerk/protocol/http/HttpChannelParent.cpp   |  18 +--
 netwerk/protocol/http/HttpChannelParent.h     |  10 +-
 netwerk/protocol/websocket/PWebSocket.ipdl    |   3 +-
 .../websocket/WebSocketChannelChild.cpp       |   6 +-
 .../websocket/WebSocketChannelParent.cpp      |  19 +--
 .../websocket/WebSocketChannelParent.h        |   8 +-
 netwerk/protocol/wyciwyg/PWyciwygChannel.ipdl |   4 +-
 .../protocol/wyciwyg/WyciwygChannelChild.cpp  |  12 +-
 .../protocol/wyciwyg/WyciwygChannelParent.cpp |  17 +-
 .../protocol/wyciwyg/WyciwygChannelParent.h   |   7 +-
 .../prefetch/OfflineCacheUpdateChild.cpp      |   1 -
 .../prefetch/OfflineCacheUpdateParent.cpp     |  13 +-
 uriloader/prefetch/OfflineCacheUpdateParent.h |   8 +-
 39 files changed, 416 insertions(+), 162 deletions(-)

diff --git a/content/base/test/test_child_process_shutdown_message.html b/content/base/test/test_child_process_shutdown_message.html
index 40d5c7f6bea2..dfebea910c74 100644
--- a/content/base/test/test_child_process_shutdown_message.html
+++ b/content/base/test/test_child_process_shutdown_message.html
@@ -112,6 +112,10 @@ function setUp() {
   SpecialPowers.setBoolPref("dom.ipc.browser_frames.oop_by_default", true);
   SpecialPowers.addPermission("browser", true, window.document);
   SpecialPowers.addPermission("embed-apps", true, window.document);
+
+  // TODO: remove in bug 820712
+  SpecialPowers.setBoolPref("network.disable.ipc.security", true);
+
   runNextTest();
 }
 
@@ -136,6 +140,10 @@ function makeKillTest(isApp) function testKill() {
 function tearDown() {
   SpecialPowers.clearUserPref("dom.mozBrowserFramesEnabled");
   SpecialPowers.clearUserPref("dom.ipc.browser_frames.oop_by_default");
+
+  // TODO: remove in bug 820712
+  SpecialPowers.clearUserPref("network.disable.ipc.security");
+
   SimpleTest.finish();
 }
 
diff --git a/content/xul/templates/src/crashtests/crashtests.list b/content/xul/templates/src/crashtests/crashtests.list
index 6ffd2e9ec7c8..fbc33ba1675c 100644
--- a/content/xul/templates/src/crashtests/crashtests.list
+++ b/content/xul/templates/src/crashtests/crashtests.list
@@ -1,7 +1,7 @@
 load 257752-1-recursion.xul
 load 329335-1.xul
 load 329884-1.xul
-skip-if(winWidget) HTTP load 330010-1.xul # bug 742455
+skip-if(winWidget||browserIsRemote) HTTP load 330010-1.xul # bugs 742455 and 823470
 skip-if(winWidget) load 330012-1.xul # bug 742455
 skip-if(winWidget) load 397148-1.xul # bug 742455
 load 404346-1.xul
diff --git a/docshell/base/LoadContext.cpp b/docshell/base/LoadContext.cpp
index 6861ecac3d61..7bf55a466590 100644
--- a/docshell/base/LoadContext.cpp
+++ b/docshell/base/LoadContext.cpp
@@ -8,22 +8,12 @@
 #include "nsIScriptSecurityManager.h"
 #include "nsServiceManagerUtils.h"
 #include "nsContentUtils.h"
+#include "mozIApplication.h"
 
 namespace mozilla {
 
 NS_IMPL_ISUPPORTS1(LoadContext, nsILoadContext);
 
-LoadContext::LoadContext(const IPC::SerializedLoadContext& aToCopy,
-                         nsIDOMElement* aTopFrameElemenet)
-  : mIsNotNull(aToCopy.mIsNotNull)
-  , mIsContent(aToCopy.mIsContent)
-  , mUsePrivateBrowsing(aToCopy.mUsePrivateBrowsing)
-  , mIsInBrowserElement(aToCopy.mIsInBrowserElement)
-  , mAppId(aToCopy.mAppId)
-  , mTopFrameElement(do_GetWeakReference(aTopFrameElemenet))
-{}
-
-
 //-----------------------------------------------------------------------------
 // LoadContext::nsILoadContext
 //-----------------------------------------------------------------------------
diff --git a/docshell/base/LoadContext.h b/docshell/base/LoadContext.h
index 29961ca44ac7..c1ba521b9bbd 100644
--- a/docshell/base/LoadContext.h
+++ b/docshell/base/LoadContext.h
@@ -10,6 +10,9 @@
 #include "SerializedLoadContext.h"
 #include "mozilla/Attributes.h"
 #include "nsWeakReference.h"
+#include "nsIDOMElement.h"
+
+class mozIApplication;
 
 namespace mozilla {
 
@@ -29,17 +32,19 @@ public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSILOADCONTEXT
 
-  LoadContext(const IPC::SerializedLoadContext& aToCopy)
+  // AppId/inBrowser arguments override those in SerializedLoadContext provided
+  // by child process.
+  LoadContext(const IPC::SerializedLoadContext& aToCopy,
+              nsIDOMElement* aTopFrameElement,
+              uint32_t aAppId, bool aInBrowser)
     : mIsNotNull(aToCopy.mIsNotNull)
     , mIsContent(aToCopy.mIsContent)
     , mUsePrivateBrowsing(aToCopy.mUsePrivateBrowsing)
-    , mIsInBrowserElement(aToCopy.mIsInBrowserElement)
-    , mAppId(aToCopy.mAppId)
+    , mIsInBrowserElement(aInBrowser)
+    , mAppId(aAppId)
+    , mTopFrameElement(do_GetWeakReference(aTopFrameElement))
   {}
 
-  LoadContext(const IPC::SerializedLoadContext& aToCopy,
-              nsIDOMElement* aTopFrameElemenet);
-
 private:
   bool          mIsNotNull;
   bool          mIsContent;
diff --git a/dom/browser-element/mochitest/browserElementTestHelpers.js b/dom/browser-element/mochitest/browserElementTestHelpers.js
index 356e8f0f92ff..4d9b1e56d461 100644
--- a/dom/browser-element/mochitest/browserElementTestHelpers.js
+++ b/dom/browser-element/mochitest/browserElementTestHelpers.js
@@ -65,6 +65,14 @@ const browserElementTestHelpers = {
     return this._setBoolPref("dom.ipc.browser_frames.oop_by_default", value);
   },
 
+  getIPCSecurityDisabledPref: function() {
+    return this._getBoolPref("network.disable.ipc.security");
+  },
+
+  setIPCSecurityDisabledPref: function(value) {
+    return this._setBoolPref("network.disable.ipc.security", value);
+  },
+
   getPageThumbsEnabledPref: function() {
     return this._getBoolPref('browser.pageThumbs.enabled');
   },
@@ -94,6 +102,7 @@ const browserElementTestHelpers = {
     this.setOOPDisabledPref(this.origOOPDisabledPref);
     this.setOOPByDefaultPref(this.origOOPByDefaultPref);
     this.setPageThumbsEnabledPref(this.origPageThumbsEnabledPref);
+    this.setIPCSecurityDisabledPref(this.origIPCSecurityPref);
     this.removeAllTempPermissions();
   },
 
@@ -101,6 +110,7 @@ const browserElementTestHelpers = {
   'origOOPDisabledPref': null,
   'origOOPByDefaultPref': null,
   'origPageThumbsEnabledPref': null,
+  'origIPCSecurityPref': null,
   'tempPermissions': [],
 
   // Some basically-empty pages from different domains you can load.
@@ -122,6 +132,7 @@ browserElementTestHelpers.origEnabledPref = browserElementTestHelpers.getEnabled
 browserElementTestHelpers.origOOPDisabledPref = browserElementTestHelpers.getOOPDisabledPref();
 browserElementTestHelpers.origOOPByDefaultPref = browserElementTestHelpers.getOOPByDefaultPref();
 browserElementTestHelpers.origPageThumbsEnabledPref = browserElementTestHelpers.getPageThumbsEnabledPref();
+browserElementTestHelpers.origIPCSecurityPref = browserElementTestHelpers.getIPCSecurityDisabledPref();
 
 // Disable tab view; it seriously messes us up.
 browserElementTestHelpers.setPageThumbsEnabledPref(false);
@@ -133,6 +144,10 @@ var oop = location.pathname.indexOf('_inproc_') == -1;
 browserElementTestHelpers.setOOPByDefaultPref(oop);
 browserElementTestHelpers.setOOPDisabledPref(false);
 
+// Disable the networking security checks; our test harness just tests browser elements
+// without sticking them in apps, and the security checks dislike that.
+browserElementTestHelpers.setIPCSecurityDisabledPref(true);
+
 addEventListener('unload', function() {
   browserElementTestHelpers.restoreOriginalPrefs();
 });
diff --git a/dom/devicestorage/ipc/test_ipc.html b/dom/devicestorage/ipc/test_ipc.html
index f0836eacd35a..1366f54dd27b 100644
--- a/dom/devicestorage/ipc/test_ipc.html
+++ b/dom/devicestorage/ipc/test_ipc.html
@@ -153,6 +153,9 @@
           ["device.storage.testing", true],
           ["device.storage.prompt.testing", true],
 
+          // TODO: remove this as part of bug 820712
+          ["network.disable.ipc.security", true],
+
           ["dom.ipc.browser_frames.oop_by_default", true],
           ["dom.mozBrowserFramesEnabled", true],
           ["browser.pageThumbs.enabled", false]
diff --git a/dom/indexedDB/ipc/test_ipc.html b/dom/indexedDB/ipc/test_ipc.html
index 7cb1971aaf72..fe4e0c722640 100644
--- a/dom/indexedDB/ipc/test_ipc.html
+++ b/dom/indexedDB/ipc/test_ipc.html
@@ -168,6 +168,9 @@
       SpecialPowers.addPermission("browser", true, document);
       SpecialPowers.pushPrefEnv({
         "set": [
+          // TODO: remove this as part of bug 820712
+          ["network.disable.ipc.security", true],
+
           ["dom.ipc.browser_frames.oop_by_default", true],
           ["dom.mozBrowserFramesEnabled", true]
         ]
diff --git a/dom/indexedDB/test/file_app_isolation.js b/dom/indexedDB/test/file_app_isolation.js
index 514fb5824b65..704288f7b260 100644
--- a/dom/indexedDB/test/file_app_isolation.js
+++ b/dom/indexedDB/test/file_app_isolation.js
@@ -159,5 +159,10 @@ if (!SpecialPowers.isMainProcess()) {
   todo(false, "We should make this work on content process");
   SimpleTest.finish();
 } else {
-  startTest();
+  // TODO: remove unsetting network.disable.ipc.security as part of bug 820712
+  SpecialPowers.pushPrefEnv({
+    "set": [
+      ["network.disable.ipc.security", true],
+    ]
+  }, startTest);
 }
diff --git a/dom/ipc/PBrowser.ipdl b/dom/ipc/PBrowser.ipdl
index 7ccc34c952b6..a7270b93d557 100644
--- a/dom/ipc/PBrowser.ipdl
+++ b/dom/ipc/PBrowser.ipdl
@@ -216,8 +216,6 @@ parent:
      *   URI of the manifest to fetch, the application cache group ID
      * @param documentURI
      *   URI of the document that referred the manifest
-     * @param clientID
-     *   The group cache version identifier to use
      * @param stickDocument
      *   True if the update was initiated by a document load that referred
      *   a manifest.
@@ -235,7 +233,6 @@ parent:
      *   has already been cached (stickDocument=false).
      */
     POfflineCacheUpdate(URIParams manifestURI, URIParams documentURI,
-                        bool isInBrowserElement, uint32_t appId,
                         bool stickDocument);
 
     sync PIndexedDB(nsCString asciiOrigin)
diff --git a/dom/ipc/TabChild.cpp b/dom/ipc/TabChild.cpp
index 03fe4aa97ecc..eb480234d384 100644
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@@ -1576,8 +1576,6 @@ TabChild::RecvActivateFrameEvent(const nsString& aType, const bool& capture)
 POfflineCacheUpdateChild*
 TabChild::AllocPOfflineCacheUpdate(const URIParams& manifestURI,
                                    const URIParams& documentURI,
-                                   const bool& isInBrowserElement,
-                                   const uint32_t& appId,
                                    const bool& stickDocument)
 {
   NS_RUNTIMEABORT("unused");
diff --git a/dom/ipc/TabChild.h b/dom/ipc/TabChild.h
index 3e76ee766aaa..e565c1f1ceb8 100644
--- a/dom/ipc/TabChild.h
+++ b/dom/ipc/TabChild.h
@@ -277,8 +277,6 @@ public:
     virtual POfflineCacheUpdateChild* AllocPOfflineCacheUpdate(
             const URIParams& manifestURI,
             const URIParams& documentURI,
-            const bool& isInBrowserElement,
-            const uint32_t& appId,
             const bool& stickDocument);
     virtual bool DeallocPOfflineCacheUpdate(POfflineCacheUpdateChild* offlineCacheUpdate);
 
diff --git a/dom/ipc/TabParent.cpp b/dom/ipc/TabParent.cpp
index e252345fe792..70a607aa7081 100644
--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@@ -1132,15 +1132,13 @@ TabParent::DeallocPRenderFrame(PRenderFrameParent* aFrame)
 mozilla::docshell::POfflineCacheUpdateParent*
 TabParent::AllocPOfflineCacheUpdate(const URIParams& aManifestURI,
                                     const URIParams& aDocumentURI,
-                                    const bool& isInBrowserElement,
-                                    const uint32_t& appId,
                                     const bool& stickDocument)
 {
   nsRefPtr<mozilla::docshell::OfflineCacheUpdateParent> update =
-    new mozilla::docshell::OfflineCacheUpdateParent();
+    new mozilla::docshell::OfflineCacheUpdateParent(OwnOrContainingAppId(),
+                                                    IsBrowserElement());
 
-  nsresult rv = update->Schedule(aManifestURI, aDocumentURI,
-                                 isInBrowserElement, appId, stickDocument);
+  nsresult rv = update->Schedule(aManifestURI, aDocumentURI, stickDocument);
   if (NS_FAILED(rv))
     return nullptr;
 
diff --git a/dom/ipc/TabParent.h b/dom/ipc/TabParent.h
index c44528fc8f70..bd640e3c9b7d 100644
--- a/dom/ipc/TabParent.h
+++ b/dom/ipc/TabParent.h
@@ -191,8 +191,6 @@ public:
     virtual POfflineCacheUpdateParent* AllocPOfflineCacheUpdate(
             const URIParams& aManifestURI,
             const URIParams& aDocumentURI,
-            const bool& isInBrowserElement,
-            const uint32_t& appId,
             const bool& stickDocument);
     virtual bool DeallocPOfflineCacheUpdate(POfflineCacheUpdateParent* actor);
 
diff --git a/netwerk/cookie/CookieServiceChild.cpp b/netwerk/cookie/CookieServiceChild.cpp
index a20b33bff158..d0e88c578103 100644
--- a/netwerk/cookie/CookieServiceChild.cpp
+++ b/netwerk/cookie/CookieServiceChild.cpp
@@ -4,12 +4,14 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/net/CookieServiceChild.h"
-
+#include "mozilla/dom/TabChild.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/net/NeckoChild.h"
 #include "nsIURI.h"
 #include "nsIPrefService.h"
 #include "nsIPrefBranch.h"
+#include "nsITabChild.h"
+#include "nsNetUtil.h"
 
 using namespace mozilla::ipc;
 
@@ -115,10 +117,19 @@ CookieServiceChild::GetCookieStringInternal(nsIURI *aHostURI,
   URIParams uriParams;
   SerializeURI(aHostURI, uriParams);
 
+  nsCOMPtr<nsITabChild> iTabChild;
+  mozilla::dom::TabChild* tabChild = nullptr;
+  if (aChannel) {
+    NS_QueryNotificationCallbacks(aChannel, iTabChild);
+    if (iTabChild) {
+      tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
+    }
+  }
+
   // Synchronously call the parent.
   nsAutoCString result;
   SendGetCookieString(uriParams, !!isForeign, aFromHttp,
-                      IPC::SerializedLoadContext(aChannel), &result);
+                      IPC::SerializedLoadContext(aChannel), tabChild, &result);
   if (!result.IsEmpty())
     *aCookieString = ToNewCString(result);
 
@@ -148,9 +159,18 @@ CookieServiceChild::SetCookieStringInternal(nsIURI *aHostURI,
   URIParams uriParams;
   SerializeURI(aHostURI, uriParams);
 
+  nsCOMPtr<nsITabChild> iTabChild;
+  mozilla::dom::TabChild* tabChild = nullptr;
+  if (aChannel) {
+    NS_QueryNotificationCallbacks(aChannel, iTabChild);
+    if (iTabChild) {
+      tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
+    }
+  }
+
   // Synchronously call the parent.
   SendSetCookieString(uriParams, !!isForeign, cookieString, serverTime,
-                      aFromHttp, IPC::SerializedLoadContext(aChannel));
+                      aFromHttp, IPC::SerializedLoadContext(aChannel), tabChild);
   return NS_OK;
 }
 
diff --git a/netwerk/cookie/CookieServiceParent.cpp b/netwerk/cookie/CookieServiceParent.cpp
index 90cb528574f6..7cc0c57a12bb 100644
--- a/netwerk/cookie/CookieServiceParent.cpp
+++ b/netwerk/cookie/CookieServiceParent.cpp
@@ -4,37 +4,44 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/net/CookieServiceParent.h"
+#include "mozilla/dom/PBrowserParent.h"
+#include "mozilla/net/NeckoParent.h"
 
 #include "mozilla/ipc/URIUtils.h"
 #include "nsCookieService.h"
 #include "nsNetUtil.h"
+#include "nsPrintfCString.h"
 
 using namespace mozilla::ipc;
-
-static void
-GetAppInfoFromLoadContext(const IPC::SerializedLoadContext &aLoadContext,
-                          uint32_t& aAppId,
-                          bool& aIsInBrowserElement,
-                          bool& aIsPrivate)
-{
-  // TODO: bug 782542: what to do when we get null loadContext?  For now assume
-  // NECKO_NO_APP_ID.
-  aAppId = NECKO_NO_APP_ID;
-  aIsInBrowserElement = false;
-  aIsPrivate = false;
-
-  if (aLoadContext.IsNotNull()) {
-    aAppId = aLoadContext.mAppId;
-    aIsInBrowserElement = aLoadContext.mIsInBrowserElement;
-  }
-
-  if (aLoadContext.IsPrivateBitValid())
-    aIsPrivate = aLoadContext.mUsePrivateBrowsing;
-}
+using mozilla::dom::PBrowserParent;
+using mozilla::net::NeckoParent;
 
 namespace mozilla {
 namespace net {
 
+MOZ_WARN_UNUSED_RESULT
+static bool
+GetAppInfoFromParams(const IPC::SerializedLoadContext &aLoadContext,
+                     PBrowserParent* aBrowser,
+                     uint32_t& aAppId,
+                     bool& aIsInBrowserElement)
+{
+  aAppId = NECKO_NO_APP_ID;
+  aIsInBrowserElement = false;
+
+  const char* error = NeckoParent::GetValidatedAppInfo(aLoadContext, aBrowser,
+                                                       &aAppId,
+                                                       &aIsInBrowserElement);
+  if (error) {
+    NS_WARNING(nsPrintfCString("CookieServiceParent: GetAppInfoFromParams: "
+                               "FATAL error: %s: KILLING CHILD PROCESS\n",
+                               error).get());
+    return false;
+  }
+
+  return true;
+}
+
 CookieServiceParent::CookieServiceParent()
 {
   // Instantiate the cookieservice via the service manager, so it sticks around
@@ -57,6 +64,7 @@ CookieServiceParent::RecvGetCookieString(const URIParams& aHost,
                                          const bool& aFromHttp,
                                          const IPC::SerializedLoadContext&
                                                aLoadContext,
+                                         PBrowserParent* aBrowser,
                                          nsCString* aResult)
 {
   if (!mCookieService)
@@ -70,7 +78,11 @@ CookieServiceParent::RecvGetCookieString(const URIParams& aHost,
 
   uint32_t appId;
   bool isInBrowserElement, isPrivate;
-  GetAppInfoFromLoadContext(aLoadContext, appId, isInBrowserElement, isPrivate);
+  bool valid = GetAppInfoFromParams(aLoadContext, aBrowser, appId,
+                                    isInBrowserElement);
+  if (!valid) {
+    return false;
+  }
 
   mCookieService->GetCookieStringInternal(hostURI, aIsForeign, aFromHttp, appId,
                                           isInBrowserElement, isPrivate, *aResult);
@@ -84,7 +96,8 @@ CookieServiceParent::RecvSetCookieString(const URIParams& aHost,
                                          const nsCString& aServerTime,
                                          const bool& aFromHttp,
                                          const IPC::SerializedLoadContext&
-                                               aLoadContext)
+                                               aLoadContext,
+                                         PBrowserParent* aBrowser)
 {
   if (!mCookieService)
     return true;
@@ -97,7 +110,11 @@ CookieServiceParent::RecvSetCookieString(const URIParams& aHost,
 
   uint32_t appId;
   bool isInBrowserElement, isPrivate;
-  GetAppInfoFromLoadContext(aLoadContext, appId, isInBrowserElement, isPrivate);
+  bool valid = GetAppInfoFromParams(aLoadContext, aBrowser, appId,
+                                    isInBrowserElement);
+  if (!valid) {
+    return false;
+  }
 
   nsDependentCString cookieString(aCookieString, 0);
   //TODO: bug 812475, pass a real channel object
diff --git a/netwerk/cookie/CookieServiceParent.h b/netwerk/cookie/CookieServiceParent.h
index d51a209287ff..ec228ae6a67e 100644
--- a/netwerk/cookie/CookieServiceParent.h
+++ b/netwerk/cookie/CookieServiceParent.h
@@ -13,6 +13,9 @@ class nsCookieService;
 class nsIIOService;
 
 namespace mozilla {
+namespace dom {
+  class PBrowserParent;
+}
 namespace net {
 
 class CookieServiceParent : public PCookieServiceParent
@@ -27,6 +30,7 @@ protected:
                                    const bool& aFromHttp,
                                    const IPC::SerializedLoadContext&
                                          loadContext,
+                                   mozilla::dom::PBrowserParent* aBrowser,
                                    nsCString* aResult);
 
   virtual bool RecvSetCookieString(const URIParams& aHost,
@@ -35,7 +39,8 @@ protected:
                                    const nsCString& aServerTime,
                                    const bool& aFromHttp,
                                    const IPC::SerializedLoadContext&
-                                         loadContext);
+                                         loadContext,
+                                   mozilla::dom::PBrowserParent* aBrowser);
 
   nsRefPtr<nsCookieService> mCookieService;
 };
diff --git a/netwerk/cookie/PCookieService.ipdl b/netwerk/cookie/PCookieService.ipdl
index 768eabf1f53e..5a004a9b1581 100644
--- a/netwerk/cookie/PCookieService.ipdl
+++ b/netwerk/cookie/PCookieService.ipdl
@@ -6,6 +6,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 include protocol PNecko;
+include protocol PBrowser;
 include URIParams;
 
 include "SerializedLoadContext.h";
@@ -64,7 +65,8 @@ parent:
   sync GetCookieString(URIParams host,
                        bool isForeign,
                        bool fromHttp,
-                       SerializedLoadContext loadContext)
+                       SerializedLoadContext loadContext,
+                       nullable PBrowser browser)
        returns (nsCString result);
 
   /*
@@ -101,7 +103,8 @@ parent:
                   nsCString cookieString,
                   nsCString serverTime,
                   bool fromHttp,
-                  SerializedLoadContext loadContext);
+                  SerializedLoadContext loadContext,
+                  nullable PBrowser browser);
 
   __delete__();
 };
diff --git a/netwerk/ipc/NeckoChild.cpp b/netwerk/ipc/NeckoChild.cpp
index 2eaa36849e11..195495a2ee43 100644
--- a/netwerk/ipc/NeckoChild.cpp
+++ b/netwerk/ipc/NeckoChild.cpp
@@ -86,7 +86,8 @@ NeckoChild::DeallocPHttpChannel(PHttpChannelChild* channel)
 }
 
 PFTPChannelChild*
-NeckoChild::AllocPFTPChannel()
+NeckoChild::AllocPFTPChannel(PBrowserChild* aBrowser,
+                             const SerializedLoadContext& aSerialized)
 {
   // We don't allocate here: see FTPChannelChild::AsyncOpen()
   NS_RUNTIMEABORT("AllocPFTPChannel should not be called");
@@ -140,7 +141,8 @@ NeckoChild::DeallocPWyciwygChannel(PWyciwygChannelChild* channel)
 }
 
 PWebSocketChild*
-NeckoChild::AllocPWebSocket(PBrowserChild* browser)
+NeckoChild::AllocPWebSocket(PBrowserChild* browser,
+                            const SerializedLoadContext& aSerialized)
 {
   NS_NOTREACHED("AllocPWebSocket should not be called");
   return nullptr;
diff --git a/netwerk/ipc/NeckoChild.h b/netwerk/ipc/NeckoChild.h
index 1b3455a4c72d..c8c10de230e3 100644
--- a/netwerk/ipc/NeckoChild.h
+++ b/netwerk/ipc/NeckoChild.h
@@ -33,9 +33,10 @@ protected:
   virtual bool DeallocPCookieService(PCookieServiceChild*);
   virtual PWyciwygChannelChild* AllocPWyciwygChannel();
   virtual bool DeallocPWyciwygChannel(PWyciwygChannelChild*);
-  virtual PFTPChannelChild* AllocPFTPChannel();
+  virtual PFTPChannelChild* AllocPFTPChannel(PBrowserChild* aBrowser,
+                                             const SerializedLoadContext& aSerialized);
   virtual bool DeallocPFTPChannel(PFTPChannelChild*);
-  virtual PWebSocketChild* AllocPWebSocket(PBrowserChild*);
+  virtual PWebSocketChild* AllocPWebSocket(PBrowserChild*, const SerializedLoadContext&);
   virtual bool DeallocPWebSocket(PWebSocketChild*);
   virtual PTCPSocketChild* AllocPTCPSocket(const nsString& aHost,
                                            const uint16_t& aPort,
diff --git a/netwerk/ipc/NeckoParent.cpp b/netwerk/ipc/NeckoParent.cpp
index 9c5e80739a7f..a550d4568f82 100644
--- a/netwerk/ipc/NeckoParent.cpp
+++ b/netwerk/ipc/NeckoParent.cpp
@@ -17,7 +17,8 @@
 #include "mozilla/dom/network/TCPSocketParent.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/Preferences.h"
-
+#include "mozilla/LoadContext.h"
+#include "nsPrintfCString.h"
 #include "nsHTMLDNSPrefetch.h"
 #include "nsIAppsService.h"
 #include "nsEscape.h"
@@ -25,6 +26,7 @@
 using mozilla::dom::TabParent;
 using mozilla::net::PTCPSocketParent;
 using mozilla::dom::TCPSocketParent;
+using IPC::SerializedLoadContext;
 
 namespace mozilla {
 namespace net {
@@ -57,11 +59,116 @@ NeckoParent::~NeckoParent()
 {
 }
 
-PHttpChannelParent*
-NeckoParent::AllocPHttpChannel(PBrowserParent* browser,
-                               const SerializedLoadContext& loadContext)
+static PBOverrideStatus
+PBOverrideStatusFromLoadContext(const SerializedLoadContext& aSerialized)
 {
-  HttpChannelParent *p = new HttpChannelParent(browser, loadContext);
+  if (!aSerialized.IsNotNull() && aSerialized.IsPrivateBitValid()) {
+    return aSerialized.mUsePrivateBrowsing ?
+      kPBOverride_Private :
+      kPBOverride_NotPrivate;
+  }
+  return kPBOverride_Unset;
+}
+
+const char*
+NeckoParent::GetValidatedAppInfo(const SerializedLoadContext& aSerialized,
+                                 PBrowserParent* aBrowser,
+                                 uint32_t* aAppId,
+                                 bool* aInBrowserElement)
+{
+  if (!gDisableIPCSecurity) {
+    if (!aBrowser) {
+      return "missing required PBrowser argument";
+    }
+    if (!aSerialized.IsNotNull()) {
+      return "SerializedLoadContext from child is null";
+    }
+  }
+
+  *aAppId = NECKO_UNKNOWN_APP_ID;
+  *aInBrowserElement = false;
+
+  if (aBrowser) {
+    nsRefPtr<TabParent> tabParent = static_cast<TabParent*>(aBrowser);
+
+    *aAppId = tabParent->OwnOrContainingAppId();
+    *aInBrowserElement = tabParent->IsBrowserElement();
+
+    if (*aAppId == NECKO_UNKNOWN_APP_ID) {
+      return "TabParent reports appId=NECKO_UNKNOWN_APP_ID!";
+    }
+    // We may get appID=NO_APP if child frame is neither a browser nor an app
+    if (*aAppId == NECKO_NO_APP_ID) {
+      if (tabParent->HasOwnApp()) {
+        return "TabParent reports NECKO_NO_APP_ID but also is an app";
+      }
+      if (!gDisableIPCSecurity && tabParent->IsBrowserElement()) {
+        // <iframe mozbrowser> which doesn't have an <iframe mozapp> above it.
+        // This is not supported now, and we'll need to do a code audit to make
+        // sure we can handle it (i.e don't short-circuit using separate
+        // namespace if just appID==0)
+        return "TabParent reports appId=NECKO_NO_APP_ID but is a mozbrowser";
+      }
+    }
+  } else {
+    // Only trust appId/inBrowser from child-side loadcontext if we're in
+    // testing mode: allows xpcshell tests to masquerade as apps
+    MOZ_ASSERT(gDisableIPCSecurity);
+    if (!gDisableIPCSecurity) {
+      return "internal error";
+    }
+    if (aSerialized.IsNotNull()) {
+      *aAppId = aSerialized.mAppId;
+      *aInBrowserElement = aSerialized.mIsInBrowserElement;
+    } else {
+      *aAppId = NECKO_NO_APP_ID;
+    }
+  }
+  return nullptr;
+}
+
+const char *
+NeckoParent::CreateChannelLoadContext(PBrowserParent* aBrowser,
+                                      const SerializedLoadContext& aSerialized,
+                                      nsCOMPtr<nsILoadContext> &aResult)
+{
+  uint32_t appId = NECKO_UNKNOWN_APP_ID;
+  bool inBrowser = false;
+  nsIDOMElement* topFrameElement = nullptr;
+  const char* error = GetValidatedAppInfo(aSerialized, aBrowser, &appId, &inBrowser);
+  if (error) {
+    return error;
+  }
+
+  if (aBrowser) {
+    nsRefPtr<TabParent> tabParent = static_cast<TabParent*>(aBrowser);
+    topFrameElement = tabParent->GetOwnerElement();
+  }
+
+  // if gDisableIPCSecurity, we may not have a LoadContext to set. This is
+  // the common case for most xpcshell tests.
+  if (aSerialized.IsNotNull()) {
+    aResult = new LoadContext(aSerialized, topFrameElement, appId, inBrowser);
+  }
+
+  return nullptr;
+}
+
+PHttpChannelParent*
+NeckoParent::AllocPHttpChannel(PBrowserParent* aBrowser,
+                               const SerializedLoadContext& aSerialized)
+{
+  nsCOMPtr<nsILoadContext> loadContext;
+  const char *error = CreateChannelLoadContext(aBrowser, aSerialized,
+                                               loadContext);
+  if (error) {
+    NS_WARNING(nsPrintfCString("NeckoParent::AllocPHttpChannel: "
+                               "FATAL error: %s: KILLING CHILD PROCESS\n",
+                               error).get());
+    return nullptr;
+  }
+  PBOverrideStatus overrideStatus = PBOverrideStatusFromLoadContext(aSerialized);
+  HttpChannelParent *p = new HttpChannelParent(aBrowser, loadContext, overrideStatus);
   p->AddRef();
   return p;
 }
@@ -75,9 +182,20 @@ NeckoParent::DeallocPHttpChannel(PHttpChannelParent* channel)
 }
 
 PFTPChannelParent*
-NeckoParent::AllocPFTPChannel()
+NeckoParent::AllocPFTPChannel(PBrowserParent* aBrowser,
+                              const SerializedLoadContext& aSerialized)
 {
-  FTPChannelParent *p = new FTPChannelParent();
+  nsCOMPtr<nsILoadContext> loadContext;
+  const char *error = CreateChannelLoadContext(aBrowser, aSerialized,
+                                               loadContext);
+  if (error) {
+    NS_WARNING(nsPrintfCString("NeckoParent::AllocPFTPChannel: "
+                               "FATAL error: %s: KILLING CHILD PROCESS\n",
+                               error).get());
+    return nullptr;
+  }
+  PBOverrideStatus overrideStatus = PBOverrideStatusFromLoadContext(aSerialized);
+  FTPChannelParent *p = new FTPChannelParent(loadContext, overrideStatus);
   p->AddRef();
   return p;
 }
@@ -120,10 +238,23 @@ NeckoParent::DeallocPWyciwygChannel(PWyciwygChannelParent* channel)
 }
 
 PWebSocketParent*
-NeckoParent::AllocPWebSocket(PBrowserParent* browser)
+NeckoParent::AllocPWebSocket(PBrowserParent* browser,
+                             const SerializedLoadContext& serialized)
 {
+  nsCOMPtr<nsILoadContext> loadContext;
+  const char *error = CreateChannelLoadContext(browser, serialized,
+                                               loadContext);
+  if (error) {
+    NS_WARNING(nsPrintfCString("NeckoParent::AllocPWebSocket: "
+                               "FATAL error: %s: KILLING CHILD PROCESS\n",
+                               error).get());
+    return nullptr;
+  }
+
   TabParent* tabParent = static_cast<TabParent*>(browser);
-  WebSocketChannelParent* p = new WebSocketChannelParent(tabParent);
+  PBOverrideStatus overrideStatus = PBOverrideStatusFromLoadContext(serialized);
+  WebSocketChannelParent* p = new WebSocketChannelParent(tabParent, loadContext,
+                                                         overrideStatus);
   p->AddRef();
   return p;
 }
diff --git a/netwerk/ipc/NeckoParent.h b/netwerk/ipc/NeckoParent.h
index df22267e8e96..ecbb28d6d05a 100644
--- a/netwerk/ipc/NeckoParent.h
+++ b/netwerk/ipc/NeckoParent.h
@@ -14,6 +14,13 @@
 namespace mozilla {
 namespace net {
 
+// Used to override channel Private Browsing status if needed.
+enum PBOverrideStatus {
+  kPBOverride_Unset = 0,
+  kPBOverride_Private,
+  kPBOverride_NotPrivate
+};
+
 // Header file contents
 class NeckoParent :
   public PNeckoParent
@@ -22,6 +29,27 @@ public:
   NeckoParent();
   virtual ~NeckoParent();
 
+  MOZ_WARN_UNUSED_RESULT
+  static const char *
+  GetValidatedAppInfo(const SerializedLoadContext& aSerialized,
+                      PBrowserParent* aBrowser,
+                      uint32_t* aAppId,
+                      bool* aInBrowserElement);
+
+  /*
+   * Creates LoadContext for parent-side of an e10s channel.
+   *
+   * Values from PBrowserParent are more secure, and override those set in
+   * SerializedLoadContext.
+   *
+   * Returns null if successful, or an error string if failed.
+   */
+  MOZ_WARN_UNUSED_RESULT
+  static const char*
+  CreateChannelLoadContext(PBrowserParent* aBrowser,
+                           const SerializedLoadContext& aSerialized,
+                           nsCOMPtr<nsILoadContext> &aResult);
+
 protected:
   virtual PHttpChannelParent* AllocPHttpChannel(PBrowserParent*,
                                                 const SerializedLoadContext&);
@@ -30,9 +58,11 @@ protected:
   virtual bool DeallocPCookieService(PCookieServiceParent*);
   virtual PWyciwygChannelParent* AllocPWyciwygChannel();
   virtual bool DeallocPWyciwygChannel(PWyciwygChannelParent*);
-  virtual PFTPChannelParent* AllocPFTPChannel();
+  virtual PFTPChannelParent* AllocPFTPChannel(PBrowserParent* aBrowser,
+                                              const SerializedLoadContext& aSerialized);
   virtual bool DeallocPFTPChannel(PFTPChannelParent*);
-  virtual PWebSocketParent* AllocPWebSocket(PBrowserParent* browser);
+  virtual PWebSocketParent* AllocPWebSocket(PBrowserParent* browser,
+                                            const SerializedLoadContext& aSerialized);
   virtual bool DeallocPWebSocket(PWebSocketParent*);
   virtual PTCPSocketParent* AllocPTCPSocket(const nsString& aHost,
                                             const uint16_t& aPort,
@@ -56,7 +86,6 @@ protected:
   virtual bool RecvCancelHTMLDNSPrefetch(const nsString& hostname,
                                          const uint16_t& flags,
                                          const nsresult& reason);
-
 private:
   nsCString mCoreAppsBasePath;
   nsCString mWebAppsBasePath;
diff --git a/netwerk/ipc/PNecko.ipdl b/netwerk/ipc/PNecko.ipdl
index a1c12ba47b1d..572fcee3e970 100644
--- a/netwerk/ipc/PNecko.ipdl
+++ b/netwerk/ipc/PNecko.ipdl
@@ -43,8 +43,8 @@ parent:
   PHttpChannel(nullable PBrowser browser,
                SerializedLoadContext loadContext);
   PWyciwygChannel();
-  PFTPChannel();
-  PWebSocket(PBrowser browser);
+  PFTPChannel(PBrowser browser, SerializedLoadContext loadContext);
+  PWebSocket(PBrowser browser, SerializedLoadContext loadContext);
   PTCPSocket(nsString host, uint16_t port, bool useSSL, nsString binaryType,
              nullable PBrowser browser);
   PRemoteOpenFile(URIParams fileuri, nullable PBrowser browser);
diff --git a/netwerk/protocol/ftp/FTPChannelChild.cpp b/netwerk/protocol/ftp/FTPChannelChild.cpp
index bb799fbdcd96..9f10b9af82ee 100644
--- a/netwerk/protocol/ftp/FTPChannelChild.cpp
+++ b/netwerk/protocol/ftp/FTPChannelChild.cpp
@@ -7,8 +7,9 @@
 
 #include "mozilla/net/NeckoChild.h"
 #include "mozilla/net/FTPChannelChild.h"
+#include "mozilla/dom/TabChild.h"
 #include "nsFtpProtocolHandler.h"
-
+#include "nsITabChild.h"
 #include "nsStringStream.h"
 #include "nsMimeTypes.h"
 #include "nsNetUtil.h"
@@ -155,8 +156,18 @@ FTPChannelChild::AsyncOpen(::nsIStreamListener* listener, nsISupports* aContext)
   if (NS_FAILED(rv))
     return rv;
 
+  mozilla::dom::TabChild* tabChild = nullptr;
+  nsCOMPtr<nsITabChild> iTabChild;
+  NS_QueryNotificationCallbacks(mCallbacks, mLoadGroup,
+                                NS_GET_IID(nsITabChild),
+                                getter_AddRefs(iTabChild));
+  GetCallback(iTabChild);
+  if (iTabChild) {
+    tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
+  }
+
   // FIXME: like bug 558623, merge constructor+SendAsyncOpen into 1 IPC msg
-  gNeckoChild->SendPFTPChannelConstructor(this);
+  gNeckoChild->SendPFTPChannelConstructor(this, tabChild, IPC::SerializedLoadContext(this));
   mListener = listener;
   mListenerContext = aContext;
 
@@ -170,8 +181,7 @@ FTPChannelChild::AsyncOpen(::nsIStreamListener* listener, nsISupports* aContext)
   OptionalInputStreamParams uploadStream;
   SerializeInputStream(mUploadStream, uploadStream);
 
-  SendAsyncOpen(uri, mStartPos, mEntityID, uploadStream,
-                IPC::SerializedLoadContext(this));
+  SendAsyncOpen(uri, mStartPos, mEntityID, uploadStream);
 
   // The socket transport layer in the chrome process now has a logical ref to
   // us until OnStopRequest is called.
@@ -509,11 +519,22 @@ FTPChannelChild::Resume()
 NS_IMETHODIMP
 FTPChannelChild::ConnectParent(uint32_t id)
 {
+  mozilla::dom::TabChild* tabChild = nullptr;
+  nsCOMPtr<nsITabChild> iTabChild;
+  NS_QueryNotificationCallbacks(mCallbacks, mLoadGroup,
+                                NS_GET_IID(nsITabChild),
+                                getter_AddRefs(iTabChild));
+  GetCallback(iTabChild);
+  if (iTabChild) {
+    tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
+  }
+
   // The socket transport in the chrome process now holds a logical ref to us
   // until OnStopRequest, or we do a redirect, or we hit an IPDL error.
   AddIPDLReference();
 
-  if (!gNeckoChild->SendPFTPChannelConstructor(this))
+  if (!gNeckoChild->SendPFTPChannelConstructor(this, tabChild,
+                                               IPC::SerializedLoadContext(this)))
     return NS_ERROR_FAILURE;
 
   if (!SendConnectChannel(id))
diff --git a/netwerk/protocol/ftp/FTPChannelParent.cpp b/netwerk/protocol/ftp/FTPChannelParent.cpp
index 44cb7bb20a35..c69e25e03c43 100644
--- a/netwerk/protocol/ftp/FTPChannelParent.cpp
+++ b/netwerk/protocol/ftp/FTPChannelParent.cpp
@@ -23,8 +23,10 @@ using namespace mozilla::ipc;
 namespace mozilla {
 namespace net {
 
-FTPChannelParent::FTPChannelParent()
+FTPChannelParent::FTPChannelParent(nsILoadContext* aLoadContext, PBOverrideStatus aOverrideStatus)
   : mIPCClosed(false)
+  , mLoadContext(aLoadContext)
+  , mPBOverride(aOverrideStatus)
 {
   nsIProtocolHandler* handler;
   CallGetService(NS_NETWORK_PROTOCOL_CONTRACTID_PREFIX "ftp", &handler);
@@ -62,8 +64,7 @@ bool
 FTPChannelParent::RecvAsyncOpen(const URIParams& aURI,
                                 const uint64_t& aStartPos,
                                 const nsCString& aEntityID,
-                                const OptionalInputStreamParams& aUploadStream,
-                                const IPC::SerializedLoadContext& loadContext)
+                                const OptionalInputStreamParams& aUploadStream)
 {
   nsCOMPtr<nsIURI> uri = DeserializeURI(aURI);
   if (!uri)
@@ -87,7 +88,11 @@ FTPChannelParent::RecvAsyncOpen(const URIParams& aURI,
     return SendFailedAsyncOpen(rv);
 
   mChannel = static_cast<nsFtpChannel*>(chan.get());
-  
+
+  if (mPBOverride != kPBOverride_Unset) {
+    mChannel->SetPrivate(mPBOverride == kPBOverride_Private ? true : false);
+  }
+
   nsCOMPtr<nsIInputStream> upload = DeserializeInputStream(aUploadStream);
   if (upload) {
     // contentType and contentLength are ignored
@@ -100,14 +105,6 @@ FTPChannelParent::RecvAsyncOpen(const URIParams& aURI,
   if (NS_FAILED(rv))
     return SendFailedAsyncOpen(rv);
 
-  if (loadContext.IsNotNull())
-    mLoadContext = new LoadContext(loadContext);
-  else if (loadContext.IsPrivateBitValid()) {
-    nsCOMPtr<nsIPrivateBrowsingChannel> pbChannel = do_QueryInterface(chan);
-    if (pbChannel)
-      pbChannel->SetPrivate(loadContext.mUsePrivateBrowsing);
-  }
-
   rv = mChannel->AsyncOpen(this, nullptr);
   if (NS_FAILED(rv))
     return SendFailedAsyncOpen(rv);
diff --git a/netwerk/protocol/ftp/FTPChannelParent.h b/netwerk/protocol/ftp/FTPChannelParent.h
index 39e5fff7df01..ab048833aee4 100644
--- a/netwerk/protocol/ftp/FTPChannelParent.h
+++ b/netwerk/protocol/ftp/FTPChannelParent.h
@@ -10,6 +10,7 @@
 
 #include "mozilla/net/PFTPChannelParent.h"
 #include "mozilla/net/NeckoCommon.h"
+#include "mozilla/net/NeckoParent.h"
 #include "nsIParentChannel.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsILoadContext.h"
@@ -30,15 +31,14 @@ public:
   NS_DECL_NSIPARENTCHANNEL
   NS_DECL_NSIINTERFACEREQUESTOR
 
-  FTPChannelParent();
+  FTPChannelParent(nsILoadContext* aLoadContext, PBOverrideStatus aOverrideStatus);
   virtual ~FTPChannelParent();
 
 protected:
   virtual bool RecvAsyncOpen(const URIParams& uri,
                              const uint64_t& startPos,
                              const nsCString& entityID,
-                             const OptionalInputStreamParams& uploadStream,
-                             const IPC::SerializedLoadContext& loadContext) MOZ_OVERRIDE;
+                             const OptionalInputStreamParams& uploadStream) MOZ_OVERRIDE;
   virtual bool RecvConnectChannel(const uint32_t& channelId) MOZ_OVERRIDE;
   virtual bool RecvCancel(const nsresult& status) MOZ_OVERRIDE;
   virtual bool RecvSuspend() MOZ_OVERRIDE;
@@ -51,6 +51,8 @@ protected:
   bool mIPCClosed;
 
   nsCOMPtr<nsILoadContext> mLoadContext;
+
+  PBOverrideStatus mPBOverride;
 };
 
 } // namespace net
diff --git a/netwerk/protocol/ftp/PFTPChannel.ipdl b/netwerk/protocol/ftp/PFTPChannel.ipdl
index 7c2929ec630c..e74a5fb24181 100644
--- a/netwerk/protocol/ftp/PFTPChannel.ipdl
+++ b/netwerk/protocol/ftp/PFTPChannel.ipdl
@@ -13,7 +13,6 @@ include protocol PBlob; //FIXME: bug #792908
 
 include "SerializedLoadContext.h";
 
-using IPC::SerializedLoadContext;
 using PRTime;
 
 namespace mozilla {
@@ -29,8 +28,7 @@ parent:
   AsyncOpen(URIParams uri,
             uint64_t startPos,
             nsCString entityID,
-            OptionalInputStreamParams uploadStream,
-            SerializedLoadContext loadContext);
+            OptionalInputStreamParams uploadStream);
 
   ConnectChannel(uint32_t channelId);
   Cancel(nsresult status);
diff --git a/netwerk/protocol/http/HttpChannelParent.cpp b/netwerk/protocol/http/HttpChannelParent.cpp
index 74a17cb89a11..89699a45ab64 100644
--- a/netwerk/protocol/http/HttpChannelParent.cpp
+++ b/netwerk/protocol/http/HttpChannelParent.cpp
@@ -34,7 +34,8 @@ namespace mozilla {
 namespace net {
 
 HttpChannelParent::HttpChannelParent(PBrowserParent* iframeEmbedding,
-                                     const IPC::SerializedLoadContext& loadContext)
+                                     nsILoadContext* aLoadContext,
+                                     PBOverrideStatus aOverrideStatus)
   : mIPCClosed(false)
   , mStoredStatus(NS_OK)
   , mStoredProgress(0)
@@ -42,7 +43,8 @@ HttpChannelParent::HttpChannelParent(PBrowserParent* iframeEmbedding,
   , mSentRedirect1Begin(false)
   , mSentRedirect1BeginFailed(false)
   , mReceivedRedirect2Verify(false)
-  , mPBOverride(kPBOverride_Unset)
+  , mPBOverride(aOverrideStatus)
+  , mLoadContext(aLoadContext)
 {
   // Ensure gHttpHandler is initialized: we need the atom table up and running.
   nsIHttpProtocolHandler* handler;
@@ -50,18 +52,6 @@ HttpChannelParent::HttpChannelParent(PBrowserParent* iframeEmbedding,
   NS_ASSERTION(handler, "no http handler");
 
   mTabParent = static_cast<mozilla::dom::TabParent*>(iframeEmbedding);
-
-  if (loadContext.IsNotNull()) {
-    if (mTabParent) {
-      mLoadContext = new LoadContext(loadContext, mTabParent->GetOwnerElement());
-    } else {
-      mLoadContext = new LoadContext(loadContext);
-    }
-  } else if (loadContext.IsPrivateBitValid()) {
-    // Don't have channel yet: override PB status after we create it.
-    mPBOverride = loadContext.mUsePrivateBrowsing ? kPBOverride_Private
-                                                  : kPBOverride_NotPrivate;
-  }
 }
 
 HttpChannelParent::~HttpChannelParent()
diff --git a/netwerk/protocol/http/HttpChannelParent.h b/netwerk/protocol/http/HttpChannelParent.h
index fc7a9b7af2cc..6796ef58e085 100644
--- a/netwerk/protocol/http/HttpChannelParent.h
+++ b/netwerk/protocol/http/HttpChannelParent.h
@@ -12,6 +12,7 @@
 #include "mozilla/dom/PBrowserParent.h"
 #include "mozilla/net/PHttpChannelParent.h"
 #include "mozilla/net/NeckoCommon.h"
+#include "mozilla/net/NeckoParent.h"
 #include "nsIParentRedirectingChannel.h"
 #include "nsIProgressEventSink.h"
 #include "nsHttpChannel.h"
@@ -44,7 +45,8 @@ public:
   NS_DECL_NSIINTERFACEREQUESTOR
 
   HttpChannelParent(mozilla::dom::PBrowserParent* iframeEmbedding,
-                    const IPC::SerializedLoadContext& loadContext);
+                    nsILoadContext* aLoadContext,
+                    PBOverrideStatus aStatus);
   virtual ~HttpChannelParent();
 
 protected:
@@ -108,12 +110,6 @@ private:
   bool mSentRedirect1BeginFailed    : 1;
   bool mReceivedRedirect2Verify     : 1;
 
-  // Used to override channel Private Browsing status if needed.
-  enum PBOverrideStatus {
-    kPBOverride_Unset = 0,
-    kPBOverride_Private,
-    kPBOverride_NotPrivate
-  };
   PBOverrideStatus mPBOverride;
 
   nsCOMPtr<nsILoadContext> mLoadContext;
diff --git a/netwerk/protocol/websocket/PWebSocket.ipdl b/netwerk/protocol/websocket/PWebSocket.ipdl
index 1f9301f4a2a7..9c111eab4592 100644
--- a/netwerk/protocol/websocket/PWebSocket.ipdl
+++ b/netwerk/protocol/websocket/PWebSocket.ipdl
@@ -27,8 +27,7 @@ parent:
   AsyncOpen(URIParams aURI,
             nsCString aOrigin,
             nsCString aProtocol,
-            bool aSecure,
-            SerializedLoadContext loadContext);
+            bool aSecure);
   Close(uint16_t code, nsCString reason);
   SendMsg(nsCString aMsg);
   SendBinaryMsg(nsCString aMsg);
diff --git a/netwerk/protocol/websocket/WebSocketChannelChild.cpp b/netwerk/protocol/websocket/WebSocketChannelChild.cpp
index 6e4baa678d26..b4c395964476 100644
--- a/netwerk/protocol/websocket/WebSocketChannelChild.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannelChild.cpp
@@ -338,9 +338,9 @@ WebSocketChannelChild::AsyncOpen(nsIURI *aURI,
   // Corresponding release in DeallocPWebSocket
   AddIPDLReference();
 
-  gNeckoChild->SendPWebSocketConstructor(this, tabChild);
-  if (!SendAsyncOpen(uri, nsCString(aOrigin), mProtocol, mEncrypted,
-                     IPC::SerializedLoadContext(this)))
+  gNeckoChild->SendPWebSocketConstructor(this, tabChild,
+                                         IPC::SerializedLoadContext(this));
+  if (!SendAsyncOpen(uri, nsCString(aOrigin), mProtocol, mEncrypted))
     return NS_ERROR_UNEXPECTED;
 
   mOriginalURI = aURI;
diff --git a/netwerk/protocol/websocket/WebSocketChannelParent.cpp b/netwerk/protocol/websocket/WebSocketChannelParent.cpp
index 8a659c7e5c3d..2edabddce278 100644
--- a/netwerk/protocol/websocket/WebSocketChannelParent.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannelParent.cpp
@@ -7,7 +7,6 @@
 #include "WebSocketLog.h"
 #include "WebSocketChannelParent.h"
 #include "nsIAuthPromptProvider.h"
-#include "mozilla/LoadContext.h"
 #include "mozilla/ipc/InputStreamUtils.h"
 #include "mozilla/ipc/URIUtils.h"
 
@@ -20,10 +19,15 @@ NS_IMPL_THREADSAFE_ISUPPORTS2(WebSocketChannelParent,
                               nsIWebSocketListener,
                               nsIInterfaceRequestor)
 
-WebSocketChannelParent::WebSocketChannelParent(nsIAuthPromptProvider* aAuthProvider)
+WebSocketChannelParent::WebSocketChannelParent(nsIAuthPromptProvider* aAuthProvider,
+                                               nsILoadContext* aLoadContext,
+                                               PBOverrideStatus aOverrideStatus)
   : mAuthProvider(aAuthProvider)
+  , mLoadContext(aLoadContext)
   , mIPCOpen(true)
 {
+  // Websocket channels can't have a private browsing override
+  MOZ_ASSERT_IF(!aLoadContext, aOverrideStatus == kPBOverride_Unset);
 #if defined(PR_LOGGING)
   if (!webSocketLog)
     webSocketLog = PR_NewLogModule("nsWebSocket");
@@ -47,8 +51,7 @@ bool
 WebSocketChannelParent::RecvAsyncOpen(const URIParams& aURI,
                                       const nsCString& aOrigin,
                                       const nsCString& aProtocol,
-                                      const bool& aSecure,
-                                      const IPC::SerializedLoadContext& loadContext)
+                                      const bool& aSecure)
 {
   LOG(("WebSocketChannelParent::RecvAsyncOpen() %p\n", this));
 
@@ -65,14 +68,6 @@ WebSocketChannelParent::RecvAsyncOpen(const URIParams& aURI,
   if (NS_FAILED(rv))
     goto fail;
 
-  if (loadContext.IsNotNull())
-    mLoadContext = new LoadContext(loadContext);
-#ifdef DEBUG
-  else
-    // websocket channels cannot have a private bit override
-    MOZ_ASSERT(!loadContext.IsPrivateBitValid());
-#endif
-
   rv = mChannel->SetNotificationCallbacks(this);
   if (NS_FAILED(rv))
     goto fail;
diff --git a/netwerk/protocol/websocket/WebSocketChannelParent.h b/netwerk/protocol/websocket/WebSocketChannelParent.h
index fa70ad72a355..760b2975dd76 100644
--- a/netwerk/protocol/websocket/WebSocketChannelParent.h
+++ b/netwerk/protocol/websocket/WebSocketChannelParent.h
@@ -8,6 +8,7 @@
 #define mozilla_net_WebSocketChannelParent_h
 
 #include "mozilla/net/PWebSocketParent.h"
+#include "mozilla/net/NeckoParent.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIWebSocketListener.h"
 #include "nsIWebSocketChannel.h"
@@ -29,14 +30,15 @@ class WebSocketChannelParent : public PWebSocketParent,
   NS_DECL_NSIWEBSOCKETLISTENER
   NS_DECL_NSIINTERFACEREQUESTOR
 
-  WebSocketChannelParent(nsIAuthPromptProvider* aAuthProvider);
+  WebSocketChannelParent(nsIAuthPromptProvider* aAuthProvider,
+                         nsILoadContext* aLoadContext,
+                         PBOverrideStatus aOverrideStatus);
 
  private:
   bool RecvAsyncOpen(const URIParams& aURI,
                      const nsCString& aOrigin,
                      const nsCString& aProtocol,
-                     const bool& aSecure,
-                     const IPC::SerializedLoadContext& loadContext);
+                     const bool& aSecure);
   bool RecvClose(const uint16_t & code, const nsCString & reason);
   bool RecvSendMsg(const nsCString& aMsg);
   bool RecvSendBinaryMsg(const nsCString& aMsg);
diff --git a/netwerk/protocol/wyciwyg/PWyciwygChannel.ipdl b/netwerk/protocol/wyciwyg/PWyciwygChannel.ipdl
index 9e0bb345debf..23211f657d0f 100644
--- a/netwerk/protocol/wyciwyg/PWyciwygChannel.ipdl
+++ b/netwerk/protocol/wyciwyg/PWyciwygChannel.ipdl
@@ -3,6 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 include protocol PNecko;
+include protocol PBrowser;
 include URIParams;
 
 include "SerializedLoadContext.h";
@@ -23,7 +24,8 @@ parent:
   Init(URIParams uri);
   AsyncOpen(URIParams             originalURI,
             uint32_t              loadFlags,
-            SerializedLoadContext loadContext);
+            SerializedLoadContext loadContext,
+            PBrowser browser);
 
   // methods corresponding to those of nsIWyciwygChannel
   WriteToCacheEntry(nsString data);
diff --git a/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp b/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
index 63e102ce3f42..2b247bf92abd 100644
--- a/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
+++ b/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
@@ -6,6 +6,7 @@
 
 #include "mozilla/net/NeckoChild.h"
 #include "WyciwygChannelChild.h"
+#include "mozilla/dom/TabChild.h"
 
 #include "nsCharsetSource.h"
 #include "nsStringStream.h"
@@ -592,7 +593,16 @@ WyciwygChannelChild::AsyncOpen(nsIStreamListener *aListener, nsISupports *aConte
   URIParams originalURI;
   SerializeURI(mOriginalURI, originalURI);
 
-  SendAsyncOpen(originalURI, mLoadFlags, IPC::SerializedLoadContext(this));
+  mozilla::dom::TabChild* tabChild = nullptr;
+  nsCOMPtr<nsITabChild> iTabChild;
+  NS_QueryNotificationCallbacks(mCallbacks, mLoadGroup,
+                                NS_GET_IID(nsITabChild),
+                                getter_AddRefs(iTabChild));
+  if (iTabChild) {
+    tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
+  }
+
+  SendAsyncOpen(originalURI, mLoadFlags, IPC::SerializedLoadContext(this), tabChild);
 
   mState = WCC_OPENED;
 
diff --git a/netwerk/protocol/wyciwyg/WyciwygChannelParent.cpp b/netwerk/protocol/wyciwyg/WyciwygChannelParent.cpp
index 9900c26f78f5..d6711cdde46c 100644
--- a/netwerk/protocol/wyciwyg/WyciwygChannelParent.cpp
+++ b/netwerk/protocol/wyciwyg/WyciwygChannelParent.cpp
@@ -11,8 +11,8 @@
 #include "nsCharsetSource.h"
 #include "nsISerializable.h"
 #include "nsSerializationHelper.h"
-#include "mozilla/LoadContext.h"
 #include "mozilla/ipc/URIUtils.h"
+#include "mozilla/net/NeckoParent.h"
 
 using namespace mozilla::ipc;
 
@@ -86,7 +86,8 @@ WyciwygChannelParent::RecvInit(const URIParams& aURI)
 bool
 WyciwygChannelParent::RecvAsyncOpen(const URIParams& aOriginal,
                                     const uint32_t& aLoadFlags,
-                                    const IPC::SerializedLoadContext& loadContext)
+                                    const IPC::SerializedLoadContext& loadContext,
+                                    PBrowserParent* aParent)
 {
   nsCOMPtr<nsIURI> original = DeserializeURI(aOriginal);
   if (!original)
@@ -107,9 +108,15 @@ WyciwygChannelParent::RecvAsyncOpen(const URIParams& aOriginal,
   if (NS_FAILED(rv))
     return SendCancelEarly(rv);
 
-  if (loadContext.IsNotNull())
-    mLoadContext = new LoadContext(loadContext);
-  else if (loadContext.IsPrivateBitValid()) {
+  const char* error = NeckoParent::CreateChannelLoadContext(aParent, loadContext,
+                                                            mLoadContext);
+  if (error) {
+    NS_WARNING(nsPrintfCString("WyciwygChannelParent::RecvAsyncOpen: error: %s\n",
+                               error).get());
+    return false;
+  }
+
+  if (!mLoadContext && loadContext.IsPrivateBitValid()) {
     nsCOMPtr<nsIPrivateBrowsingChannel> pbChannel = do_QueryInterface(mChannel);
     if (pbChannel)
       pbChannel->SetPrivate(loadContext.mUsePrivateBrowsing);
diff --git a/netwerk/protocol/wyciwyg/WyciwygChannelParent.h b/netwerk/protocol/wyciwyg/WyciwygChannelParent.h
index 819c31031f87..628b8df30a3a 100644
--- a/netwerk/protocol/wyciwyg/WyciwygChannelParent.h
+++ b/netwerk/protocol/wyciwyg/WyciwygChannelParent.h
@@ -14,6 +14,10 @@
 #include "nsILoadContext.h"
 
 namespace mozilla {
+namespace dom {
+  class PBrowserParent;
+}
+
 namespace net {
 
 class WyciwygChannelParent : public PWyciwygChannelParent
@@ -33,7 +37,8 @@ protected:
   virtual bool RecvInit(const URIParams& uri);
   virtual bool RecvAsyncOpen(const URIParams& original,
                              const uint32_t& loadFlags,
-                             const IPC::SerializedLoadContext& loadContext);
+                             const IPC::SerializedLoadContext& loadContext,
+                             PBrowserParent* parent);
   virtual bool RecvWriteToCacheEntry(const nsString& data);
   virtual bool RecvCloseCacheEntry(const nsresult& reason);
   virtual bool RecvSetCharsetAndSource(const int32_t& source,
diff --git a/uriloader/prefetch/OfflineCacheUpdateChild.cpp b/uriloader/prefetch/OfflineCacheUpdateChild.cpp
index 96e3e72a70af..203d11e0f415 100644
--- a/uriloader/prefetch/OfflineCacheUpdateChild.cpp
+++ b/uriloader/prefetch/OfflineCacheUpdateChild.cpp
@@ -441,7 +441,6 @@ OfflineCacheUpdateChild::Schedule()
     // a reference to us. Will be released in RecvFinish() that identifies 
     // the work has been done.
     child->SendPOfflineCacheUpdateConstructor(this, manifestURI, documentURI,
-                                              mInBrowser, mAppID,
                                               stickDocument);
 
     mIPCActivated = true;
diff --git a/uriloader/prefetch/OfflineCacheUpdateParent.cpp b/uriloader/prefetch/OfflineCacheUpdateParent.cpp
index 8bd86a790d3a..a94362ebae05 100644
--- a/uriloader/prefetch/OfflineCacheUpdateParent.cpp
+++ b/uriloader/prefetch/OfflineCacheUpdateParent.cpp
@@ -5,12 +5,14 @@
 
 #include "OfflineCacheUpdateParent.h"
 
+#include "mozilla/dom/TabParent.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "nsOfflineCacheUpdate.h"
 #include "nsIApplicationCache.h"
 #include "nsNetUtil.h"
 
 using namespace mozilla::ipc;
+using mozilla::dom::TabParent;
 
 #if defined(PR_LOGGING)
 //
@@ -43,8 +45,11 @@ NS_IMPL_ISUPPORTS2(OfflineCacheUpdateParent,
 // OfflineCacheUpdateParent <public>
 //-----------------------------------------------------------------------------
 
-OfflineCacheUpdateParent::OfflineCacheUpdateParent()
+OfflineCacheUpdateParent::OfflineCacheUpdateParent(uint32_t aAppId,
+                                                   bool aIsInBrowser)
     : mIPCClosed(false)
+    , mIsInBrowserElement(aIsInBrowser)
+    , mAppId(aAppId)
 {
     // Make sure the service has been initialized
     nsOfflineCacheUpdateService* service =
@@ -69,8 +74,6 @@ OfflineCacheUpdateParent::ActorDestroy(ActorDestroyReason why)
 nsresult
 OfflineCacheUpdateParent::Schedule(const URIParams& aManifestURI,
                                    const URIParams& aDocumentURI,
-                                   const bool& isInBrowserElement,
-                                   const uint32_t& appId,
                                    const bool& stickDocument)
 {
     LOG(("OfflineCacheUpdateParent::RecvSchedule [%p]", this));
@@ -100,7 +103,7 @@ OfflineCacheUpdateParent::Schedule(const URIParams& aManifestURI,
     if (!NS_SecurityCompareURIs(manifestURI, documentURI, false))
         return NS_ERROR_DOM_SECURITY_ERR;
 
-    service->FindUpdate(manifestURI, appId, isInBrowserElement,
+    service->FindUpdate(manifestURI, mAppId, mIsInBrowserElement,
                         getter_AddRefs(update));
     if (!update) {
         update = new nsOfflineCacheUpdate();
@@ -108,7 +111,7 @@ OfflineCacheUpdateParent::Schedule(const URIParams& aManifestURI,
         // Leave aDocument argument null. Only glues and children keep 
         // document instances.
         rv = update->Init(manifestURI, documentURI, nullptr, nullptr,
-                          appId, isInBrowserElement);
+                          mAppId, mIsInBrowserElement);
         NS_ENSURE_SUCCESS(rv, rv);
 
         rv = update->Schedule();
diff --git a/uriloader/prefetch/OfflineCacheUpdateParent.h b/uriloader/prefetch/OfflineCacheUpdateParent.h
index 9b58e314fc84..c2fa97450f4d 100644
--- a/uriloader/prefetch/OfflineCacheUpdateParent.h
+++ b/uriloader/prefetch/OfflineCacheUpdateParent.h
@@ -14,6 +14,10 @@
 
 namespace mozilla {
 
+namespace dom {
+class TabParent;
+}
+
 namespace ipc {
 class URIParams;
 } // namespace ipc
@@ -34,11 +38,9 @@ public:
     nsresult
     Schedule(const URIParams& manifestURI,
              const URIParams& documentURI,
-             const bool& isInBrowserElement,
-             const uint32_t& appId,
              const bool& stickDocument);
 
-    OfflineCacheUpdateParent();
+    OfflineCacheUpdateParent(uint32_t aAppId, bool aIsInBrowser);
     ~OfflineCacheUpdateParent();
 
     virtual void ActorDestroy(ActorDestroyReason why);