Within Bug 965637 we are moving the CSP from the Principal into the Client except for ExpandedPrincipals. This is meant as a follow up bug to Bug 965637 to actually move the CSP off ExpandedPrincipals as well. At the time of this writing it's not entirely clear where the CSP for expandedPrincipals should live.

Kris, within Bug 965637 we are going to move the CSP from the Principal into the Client except for extensions where we (for now) keep the CSP on ExpandedPrincipals. Within this bug we would like to get the CSP off the Expanded Principal and move it somewhere else - any preference or suggestions where the CSP for extensions could remain?

There are three callers of ExpandedPrincipal::SetCsp.

• Document::InitCSP
  • unreachable code, can be removed, see bug 1743042
• Element::CreateDevtoolsPrincipal
  • This was added in bug 1228985 and bug 1391994. I didn't check where this should go to, probably better to ask the ones who work on this area
• ApplyAddonContentScriptCSP (called by nsXPCComponents_utils_Sandbox::CallOrConstruct)
  • Could be moved to "the sandbox". The "sandbox" is basically a JS global with a given principal. In the case of extension code, the principal is an ExpandedPrincipal that contains the extension principal and document principal (and in some cases just the document principal, for user script sandboxes without extension code). There is complicated logic to offer DOM APIs to content scripts (basically by letting the global inherit from the window via the prototype).
  • The nsCSPContext instance could be owned by RealmPrivate, CompartmentPrivate or SandboxPrivate instead of ExpandedPrincipal. To find the relevant places, track down the logic after ApplyAddonContentCSP + CreateSandboxObject in nsXPCComponents_utils_Sandbox::CallOrConstruct.
    • See xpc::CreateSandboxObject: https://searchfox.org/mozilla-central/rev/7fe9421af35256a95acc4620e9e0b76df7867287/js/xpconnect/src/Sandbox.cpp#1235-1347

You should also clean up the work-around that we added in bug 1741600 to avoid memory leaks (caused by nsCSPContext and ExpandedPrincipal having a strong reference to each other).

There is also some dead code that should be removed, as it will definitely not be needed any more once you've moved nsCSPContext off ExpandedPrincipal: https://searchfox.org/mozilla-central/rev/7fe9421af35256a95acc4620e9e0b76df7867287/dom/security/nsCSPContext.h#127-131
(for the history behind that code, see https://bugzilla.mozilla.org/show_bug.cgi?id=1741600#c7).