in the file dom/push/PushRecord.jsm there is a call to createCodebasePrincipalFromOrigin: > 246 principal = Services.scriptSecurityManager.createCodebasePrincipalFromOrigin(url); > 247 principals.set(this, principal); I think we need to change this to a GlobalContextOriginAttribute and call createCodebasePrincipal with the url and the attrs so that we avoid any user context isolation.

Comment on attachment 8704111 [details] [diff] [review] patch Review of attachment 8704111 [details] [diff] [review]: ----------------------------------------------------------------- createGlobalContextOriginAttributes -> createDefaultContextOriginAttributes

I don't think this patch is needed. * The origin attributes are being added as a suffix to the uri here: http://mzl.la/1SlYnXU * The call to createCodebasePrincipalFromOrigin calls CreateCodebasePrincipal: http://mzl.la/1SlYqD3 * CreateCodebasePrincipal correctly populates the origin attributes from the origin: http://mzl.la/1MqybMH Resolving as WON'T FIX.