From 3f486554568f5d34a6930fe7842b39f0e1186073 Mon Sep 17 00:00:00 2001
From: Tom Schuster <tschuster@mozilla.com>
Date: Wed, 21 May 2025 14:54:11 +0000
Subject: [PATCH] Bug 1967417 - Create a fallible LoadInfo factory.
 r=smaug,necko-reviewers,places-reviewers,kershaw

Differential Revision: https://phabricator.services.mozilla.com/D250182
---
 docshell/base/nsDocShell.cpp                  | 20 ++++++------
 dom/base/nsObjectLoadingContent.cpp           | 24 +++++++++-----
 dom/media/webrtc/jsapi/PeerConnectionImpl.cpp | 12 ++++---
 dom/script/ScriptLoader.cpp                   |  4 +--
 dom/security/nsContentSecurityUtils.cpp       |  6 +++-
 dom/serviceworkers/ServiceWorkerUtils.cpp     | 18 +++++++----
 dom/websocket/WebSocket.cpp                   |  4 +--
 dom/xml/nsXMLContentSink.cpp                  | 12 +++----
 image/imgLoader.cpp                           |  7 ++--
 layout/style/FontFaceSetDocumentImpl.cpp      |  6 +++-
 layout/style/FontFaceSetWorkerImpl.cpp        |  6 +++-
 layout/style/Loader.cpp                       |  4 +--
 netwerk/base/LoadInfo.cpp                     | 12 +++++++
 netwerk/base/LoadInfo.h                       | 32 +++++++++++++------
 netwerk/base/nsIOService.cpp                  | 12 +++----
 netwerk/base/nsNetUtil.cpp                    | 12 +++----
 netwerk/protocol/http/AlternateServices.cpp   |  8 ++---
 .../websocket/BaseWebSocketChannel.cpp        |  4 +--
 netwerk/test/fuzz/TestHttpFuzzing.cpp         | 16 ++++++----
 .../components/places/nsFaviconService.cpp    |  4 +--
 uriloader/preload/FetchPreloader.cpp          |  4 +--
 21 files changed, 145 insertions(+), 82 deletions(-)

diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index ea583f1cd0d4..6abc6320bceb 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -10555,15 +10555,17 @@ nsresult nsDocShell::DoURILoad(nsDocShellLoadState* aLoadState,
   mBrowsingContext->SetTriggeringAndInheritPrincipals(
       aLoadState->TriggeringPrincipal(), aLoadState->PrincipalToInherit(),
       aLoadState->GetLoadIdentifier());
-  RefPtr<LoadInfo> loadInfo =
-      (contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT)
-          ? new LoadInfo(loadingWindow, uri, aLoadState->TriggeringPrincipal(),
-                         topLevelLoadingContext, securityFlags, sandboxFlags)
-          : new LoadInfo(loadingPrincipal, aLoadState->TriggeringPrincipal(),
-                         loadingNode, securityFlags, contentPolicyType,
-                         Maybe<mozilla::dom::ClientInfo>(),
-                         Maybe<mozilla::dom::ServiceWorkerDescriptor>(),
-                         sandboxFlags);
+  RefPtr<LoadInfo> loadInfo;
+  if (contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT) {
+    loadInfo =
+        new LoadInfo(loadingWindow, uri, aLoadState->TriggeringPrincipal(),
+                     topLevelLoadingContext, securityFlags, sandboxFlags);
+  } else {
+    loadInfo = MOZ_TRY(LoadInfo::Create(
+        loadingPrincipal, aLoadState->TriggeringPrincipal(), loadingNode,
+        securityFlags, contentPolicyType, Maybe<mozilla::dom::ClientInfo>(),
+        Maybe<mozilla::dom::ServiceWorkerDescriptor>(), sandboxFlags));
+  }
   RefPtr<WindowContext> context = mBrowsingContext->GetCurrentWindowContext();
 
   if (isAboutBlankLoadOntoInitialAboutBlank) {
diff --git a/dom/base/nsObjectLoadingContent.cpp b/dom/base/nsObjectLoadingContent.cpp
index 5b72a13863a5..26419de69eb8 100644
--- a/dom/base/nsObjectLoadingContent.cpp
+++ b/dom/base/nsObjectLoadingContent.cpp
@@ -613,11 +613,15 @@ bool nsObjectLoadingContent::CheckLoadPolicy(int16_t* aContentPolicy) {
 
   nsContentPolicyType contentPolicyType = GetContentPolicyType();
 
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
-      new LoadInfo(doc->NodePrincipal(),  // loading principal
-                   doc->NodePrincipal(),  // triggering principal
-                   el, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
-                   contentPolicyType);
+  Result<RefPtr<LoadInfo>, nsresult> maybeLoadInfo =
+      LoadInfo::Create(doc->NodePrincipal(),  // loading principal
+                       doc->NodePrincipal(),  // triggering principal
+                       el, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                       contentPolicyType);
+  if (NS_WARN_IF(maybeLoadInfo.isErr())) {
+    return false;
+  }
+  RefPtr<LoadInfo> secCheckLoadInfo = maybeLoadInfo.unwrap();
 
   *aContentPolicy = nsIContentPolicy::ACCEPT;
   nsresult rv =
@@ -653,10 +657,14 @@ bool nsObjectLoadingContent::CheckProcessPolicy(int16_t* aContentPolicy) {
       return false;
   }
 
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new LoadInfo(
+  Result<RefPtr<LoadInfo>, nsresult> maybeLoadInfo = LoadInfo::Create(
       doc->NodePrincipal(),  // loading principal
       doc->NodePrincipal(),  // triggering principal
       el, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, objectType);
+  if (NS_WARN_IF(maybeLoadInfo.isErr())) {
+    return false;
+  }
+  RefPtr<LoadInfo> secCheckLoadInfo = maybeLoadInfo.unwrap();
 
   *aContentPolicy = nsIContentPolicy::ACCEPT;
   nsresult rv = NS_CheckContentProcessPolicy(
@@ -1433,7 +1441,7 @@ nsresult nsObjectLoadingContent::OpenChannel() {
   }
 
   // --- Create LoadInfo
-  RefPtr<LoadInfo> loadInfo = new LoadInfo(
+  RefPtr<LoadInfo> loadInfo = MOZ_TRY(LoadInfo::Create(
       /*aLoadingPrincipal = aLoadingContext->NodePrincipal() */ nullptr,
       /*aTriggeringPrincipal = aLoadingPrincipal */ nullptr,
       /*aLoadingContext = */ el,
@@ -1441,7 +1449,7 @@ nsresult nsObjectLoadingContent::OpenChannel() {
       /*aContentPolicyType = */ contentPolicyType,
       /*aLoadingClientInfo = */ Nothing(),
       /*aController = */ Nothing(),
-      /*aSandboxFlags = */ sandboxFlags);
+      /*aSandboxFlags = */ sandboxFlags));
 
   if (inheritAttrs) {
     loadInfo->SetPrincipalToInherit(el->NodePrincipal());
diff --git a/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp b/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp
index 4a89dd92b1fa..31495e1713a9 100644
--- a/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp
+++ b/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp
@@ -4874,10 +4874,14 @@ std::unique_ptr<NrSocketProxyConfig> PeerConnectionImpl::GetProxyConfig()
   }
 
   TabId id = browserChild->GetTabId();
-  nsCOMPtr<nsILoadInfo> loadInfo =
-      new net::LoadInfo(doc->NodePrincipal(), doc->NodePrincipal(), doc,
-                        nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
-                        nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA);
+  Result<RefPtr<net::LoadInfo>, nsresult> maybeLoadInfo = net::LoadInfo::Create(
+      doc->NodePrincipal(), doc->NodePrincipal(), doc,
+      nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
+      nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA);
+  if (NS_WARN_IF(maybeLoadInfo.isErr())) {
+    return nullptr;
+  }
+  RefPtr<net::LoadInfo> loadInfo = maybeLoadInfo.unwrap();
 
   net::LoadInfoArgs loadInfoArgs;
   MOZ_ALWAYS_SUCCEEDS(
diff --git a/dom/script/ScriptLoader.cpp b/dom/script/ScriptLoader.cpp
index 51f63f998e47..f5496e0d9ba3 100644
--- a/dom/script/ScriptLoader.cpp
+++ b/dom/script/ScriptLoader.cpp
@@ -477,11 +477,11 @@ nsresult ScriptLoader::CheckContentPolicy(nsIScriptElement* aElement,
   if (aElement) {
     requestingNode = do_QueryInterface(aElement);
   }
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new net::LoadInfo(
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = MOZ_TRY(net::LoadInfo::Create(
       mDocument->NodePrincipal(),  // loading principal
       mDocument->NodePrincipal(),  // triggering principal
       requestingNode, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
-      contentPolicyType);
+      contentPolicyType));
   secCheckLoadInfo->SetParserCreatedScript(aElement &&
                                            aElement->GetParserCreated() !=
                                                mozilla::dom::NOT_FROM_PARSER);
diff --git a/dom/security/nsContentSecurityUtils.cpp b/dom/security/nsContentSecurityUtils.cpp
index 7d4b8f2a1f55..710691fcb86c 100644
--- a/dom/security/nsContentSecurityUtils.cpp
+++ b/dom/security/nsContentSecurityUtils.cpp
@@ -2220,10 +2220,14 @@ long nsContentSecurityUtils::ClassifyDownload(
     loadingPrincipal = loadInfo->TriggeringPrincipal();
   }
   // Creating a fake Loadinfo that is just used for the MCB check.
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new mozilla::net::LoadInfo(
+  Result<RefPtr<net::LoadInfo>, nsresult> maybeLoadInfo = net::LoadInfo::Create(
       loadingPrincipal, loadInfo->TriggeringPrincipal(), nullptr,
       nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
       nsIContentPolicy::TYPE_FETCH);
+  if (maybeLoadInfo.isErr()) {
+    return nsITransfer::DOWNLOAD_FORBIDDEN;
+  }
+  RefPtr<net::LoadInfo> secCheckLoadInfo = maybeLoadInfo.unwrap();
   // Disable HTTPS-Only checks for that loadinfo. This is required because
   // otherwise nsMixedContentBlocker::ShouldLoad would assume that the request
   // is safe, because HTTPS-Only is handling it.
diff --git a/dom/serviceworkers/ServiceWorkerUtils.cpp b/dom/serviceworkers/ServiceWorkerUtils.cpp
index 3a290eae9eb2..c7aaa52d24e8 100644
--- a/dom/serviceworkers/ServiceWorkerUtils.cpp
+++ b/dom/serviceworkers/ServiceWorkerUtils.cpp
@@ -354,12 +354,18 @@ void ServiceWorkerScopeAndScriptAreValid(const ClientInfo& aClientInfo,
     // logic here (and the CheckMayLoad calls above) corresponds to the steps of
     // the register (https://w3c.github.io/ServiceWorker/#register-algorithm)
     // which explicitly throws a SecurityError.
-    nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new mozilla::net::LoadInfo(
-        principal,  // loading principal
-        principal,  // triggering principal
-        maybeDoc,   // loading node
-        nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
-        nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER, Some(aClientInfo));
+    Result<RefPtr<net::LoadInfo>, nsresult> maybeLoadInfo =
+        net::LoadInfo::Create(
+            principal,  // loading principal
+            principal,  // triggering principal
+            maybeDoc,   // loading node
+            nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+            nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER, Some(aClientInfo));
+    if (NS_WARN_IF(maybeLoadInfo.isErr())) {
+      aResult.ThrowSecurityError("Script URL is not allowed by policy.");
+      return;
+    }
+    RefPtr<net::LoadInfo> secCheckLoadInfo = maybeLoadInfo.unwrap();
 
     if (cspListener) {
       rv = secCheckLoadInfo->SetCspEventListener(cspListener);
diff --git a/dom/websocket/WebSocket.cpp b/dom/websocket/WebSocket.cpp
index 505f63951cba..ea692b1f6e5c 100644
--- a/dom/websocket/WebSocket.cpp
+++ b/dom/websocket/WebSocket.cpp
@@ -1711,11 +1711,11 @@ nsresult WebSocketImpl::Init(nsIGlobalObject* aWindowGlobal, JSContext* aCx,
     // AsyncOpen().
     // Please note that websockets can't follow redirects, hence there is no
     // need to perform a CSP check after redirects.
-    nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new net::LoadInfo(
+    nsCOMPtr<nsILoadInfo> secCheckLoadInfo = MOZ_TRY(net::LoadInfo::Create(
         aPrincipal,  // loading principal
         aPrincipal,  // triggering principal
         originDoc, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
-        nsIContentPolicy::TYPE_WEBSOCKET, aClientInfo);
+        nsIContentPolicy::TYPE_WEBSOCKET, aClientInfo));
 
     if (aCSPEventListener) {
       secCheckLoadInfo->SetCspEventListener(aCSPEventListener);
diff --git a/dom/xml/nsXMLContentSink.cpp b/dom/xml/nsXMLContentSink.cpp
index cac6ca949e6d..3b2ee47c89d9 100644
--- a/dom/xml/nsXMLContentSink.cpp
+++ b/dom/xml/nsXMLContentSink.cpp
@@ -763,12 +763,12 @@ nsresult nsXMLContentSink::MaybeProcessXSLTLink(
                                          mDocument->InnerWindowID());
   NS_ENSURE_SUCCESS(rv, NS_OK);
 
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo =
-      new net::LoadInfo(mDocument->NodePrincipal(),  // loading principal
-                        mDocument->NodePrincipal(),  // triggering principal
-                        aProcessingInstruction,
-                        nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
-                        nsIContentPolicy::TYPE_XSLT);
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = MOZ_TRY(
+      net::LoadInfo::Create(mDocument->NodePrincipal(),  // loading principal
+                            mDocument->NodePrincipal(),  // triggering principal
+                            aProcessingInstruction,
+                            nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                            nsIContentPolicy::TYPE_XSLT));
 
   // Do content policy check
   int16_t decision = nsIContentPolicy::ACCEPT;
diff --git a/image/imgLoader.cpp b/image/imgLoader.cpp
index 718f513f4be4..f470077fdb39 100644
--- a/image/imgLoader.cpp
+++ b/image/imgLoader.cpp
@@ -727,10 +727,13 @@ static bool ShouldLoadCachedImage(imgRequest* aImgRequest,
     loadingPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
   }
 
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new LoadInfo(
+  Result<RefPtr<LoadInfo>, nsresult> maybeLoadInfo = LoadInfo::Create(
       loadingPrincipal, aTriggeringPrincipal, aLoadingDocument,
       nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, aPolicyType);
-
+  if (NS_WARN_IF(maybeLoadInfo.isErr())) {
+    return false;
+  }
+  RefPtr<LoadInfo> secCheckLoadInfo = maybeLoadInfo.unwrap();
   secCheckLoadInfo->SetSendCSPViolationEvents(aSendCSPViolationReports);
 
   int16_t decision = nsIContentPolicy::REJECT_REQUEST;
diff --git a/layout/style/FontFaceSetDocumentImpl.cpp b/layout/style/FontFaceSetDocumentImpl.cpp
index 9e5c2b514150..fbedeced4902 100644
--- a/layout/style/FontFaceSetDocumentImpl.cpp
+++ b/layout/style/FontFaceSetDocumentImpl.cpp
@@ -356,11 +356,15 @@ bool FontFaceSetDocumentImpl::IsFontLoadAllowed(const gfxFontFaceSrc& aSrc) {
   nsIPrincipal* principal =
       gfxPrincipal ? gfxPrincipal->NodePrincipal() : nullptr;
 
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new net::LoadInfo(
+  Result<RefPtr<net::LoadInfo>, nsresult> maybeLoadInfo = net::LoadInfo::Create(
       mDocument->NodePrincipal(),  // loading principal
       principal,                   // triggering principal
       mDocument, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
       nsIContentPolicy::TYPE_FONT);
+  if (NS_WARN_IF(maybeLoadInfo.isErr())) {
+    return false;
+  }
+  RefPtr<net::LoadInfo> secCheckLoadInfo = maybeLoadInfo.unwrap();
 
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
   nsresult rv =
diff --git a/layout/style/FontFaceSetWorkerImpl.cpp b/layout/style/FontFaceSetWorkerImpl.cpp
index baf9791cec10..f00ee1463647 100644
--- a/layout/style/FontFaceSetWorkerImpl.cpp
+++ b/layout/style/FontFaceSetWorkerImpl.cpp
@@ -316,11 +316,15 @@ bool FontFaceSetWorkerImpl::IsFontLoadAllowed(const gfxFontFaceSrc& aSrc) {
   nsIPrincipal* principal =
       gfxPrincipal ? gfxPrincipal->NodePrincipal() : nullptr;
 
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new net::LoadInfo(
+  Result<RefPtr<net::LoadInfo>, nsresult> maybeLoadInfo = net::LoadInfo::Create(
       mWorkerRef->Private()->GetLoadingPrincipal(),  // loading principal
       principal,                                     // triggering principal
       nullptr, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
       nsIContentPolicy::TYPE_FONT);
+  if (NS_WARN_IF(maybeLoadInfo.isErr())) {
+    return false;
+  }
+  RefPtr<net::LoadInfo> secCheckLoadInfo = maybeLoadInfo.unwrap();
 
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
   nsresult rv =
diff --git a/layout/style/Loader.cpp b/layout/style/Loader.cpp
index 6ac35880668e..f12fb0a7e3c3 100644
--- a/layout/style/Loader.cpp
+++ b/layout/style/Loader.cpp
@@ -828,9 +828,9 @@ nsresult Loader::CheckContentPolicy(nsIPrincipal* aLoadingPrincipal,
   nsContentPolicyType contentPolicyType =
       ComputeContentPolicyType(aPreloadKind);
 
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new net::LoadInfo(
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = MOZ_TRY(net::LoadInfo::Create(
       aLoadingPrincipal, aTriggeringPrincipal, aRequestingNode,
-      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, contentPolicyType);
+      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, contentPolicyType));
   secCheckLoadInfo->SetCspNonce(aNonce);
 
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
diff --git a/netwerk/base/LoadInfo.cpp b/netwerk/base/LoadInfo.cpp
index 764513ad0bae..d9c35679b866 100644
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -75,6 +75,18 @@ static nsContentPolicyType InternalContentPolicyTypeForFrame(
              : nsIContentPolicy::TYPE_INTERNAL_FRAME;
 }
 
+/* static */ Result<already_AddRefed<LoadInfo>, nsresult> LoadInfo::Create(
+    nsIPrincipal* aLoadingPrincipal, nsIPrincipal* aTriggeringPrincipal,
+    nsINode* aLoadingContext, nsSecurityFlags aSecurityFlags,
+    nsContentPolicyType aContentPolicyType,
+    const Maybe<mozilla::dom::ClientInfo>& aLoadingClientInfo,
+    const Maybe<mozilla::dom::ServiceWorkerDescriptor>& aController,
+    uint32_t aSandboxFlags) {
+  return MakeAndAddRef<LoadInfo>(
+      aLoadingPrincipal, aTriggeringPrincipal, aLoadingContext, aSecurityFlags,
+      aContentPolicyType, aLoadingClientInfo, aController, aSandboxFlags);
+}
+
 /* static */ already_AddRefed<LoadInfo> LoadInfo::CreateForDocument(
     dom::CanonicalBrowsingContext* aBrowsingContext, nsIURI* aURI,
     nsIPrincipal* aTriggeringPrincipal, const nsACString& aTriggeringRemoteType,
diff --git a/netwerk/base/LoadInfo.h b/netwerk/base/LoadInfo.h
index 93cc8d3630f7..f691db7ca9aa 100644
--- a/netwerk/base/LoadInfo.h
+++ b/netwerk/base/LoadInfo.h
@@ -19,6 +19,7 @@
 #include "nsTArray.h"
 
 #include "mozilla/BasePrincipal.h"
+#include "mozilla/Result.h"
 #include "mozilla/dom/ClientInfo.h"
 #include "mozilla/dom/ServiceWorkerDescriptor.h"
 
@@ -66,6 +67,18 @@ class LoadInfo final : public nsILoadInfo {
   NS_DECL_ISUPPORTS
   NS_DECL_NSILOADINFO
 
+  // Currently used for most load types, but prefer the specialized factories
+  // below when possible. aLoadingPrincipal MUST NOT BE NULL.
+  static mozilla::Result<already_AddRefed<LoadInfo>, nsresult> Create(
+      nsIPrincipal* aLoadingPrincipal, nsIPrincipal* aTriggeringPrincipal,
+      nsINode* aLoadingContext, nsSecurityFlags aSecurityFlags,
+      nsContentPolicyType aContentPolicyType,
+      const Maybe<mozilla::dom::ClientInfo>& aLoadingClientInfo =
+          Maybe<mozilla::dom::ClientInfo>(),
+      const Maybe<mozilla::dom::ServiceWorkerDescriptor>& aController =
+          Maybe<mozilla::dom::ServiceWorkerDescriptor>(),
+      uint32_t aSandboxFlags = 0);
+
   // Used for TYPE_DOCUMENT load.
   static already_AddRefed<LoadInfo> CreateForDocument(
       dom::CanonicalBrowsingContext* aBrowsingContext, nsIURI* aURI,
@@ -87,6 +100,16 @@ class LoadInfo final : public nsILoadInfo {
       nsContentPolicyType aContentPolicyType, nsSecurityFlags aSecurityFlags,
       uint32_t aSandboxFlags);
 
+  // Constructor used for TYPE_DOCUMENT loads which have a different
+  // loadingContext than other loads. This ContextForTopLevelLoad is
+  // only used for content policy checks.
+  LoadInfo(nsPIDOMWindowOuter* aOuterWindow, nsIURI* aURI,
+           nsIPrincipal* aTriggeringPrincipal,
+           nsISupports* aContextForTopLevelLoad, nsSecurityFlags aSecurityFlags,
+           uint32_t aSandboxFlags);
+
+ private:
+  // Use factory function Create.
   // aLoadingPrincipal MUST NOT BE NULL.
   LoadInfo(nsIPrincipal* aLoadingPrincipal, nsIPrincipal* aTriggeringPrincipal,
            nsINode* aLoadingContext, nsSecurityFlags aSecurityFlags,
@@ -97,15 +120,6 @@ class LoadInfo final : public nsILoadInfo {
                Maybe<mozilla::dom::ServiceWorkerDescriptor>(),
            uint32_t aSandboxFlags = 0);
 
-  // Constructor used for TYPE_DOCUMENT loads which have a different
-  // loadingContext than other loads. This ContextForTopLevelLoad is
-  // only used for content policy checks.
-  LoadInfo(nsPIDOMWindowOuter* aOuterWindow, nsIURI* aURI,
-           nsIPrincipal* aTriggeringPrincipal,
-           nsISupports* aContextForTopLevelLoad, nsSecurityFlags aSecurityFlags,
-           uint32_t aSandboxFlags);
-
- private:
   // Use factory function CreateForDocument
   // Used for TYPE_DOCUMENT load.
   LoadInfo(dom::CanonicalBrowsingContext* aBrowsingContext, nsIURI* aURI,
diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp
index 277e640509ca..d5d67023b94b 100644
--- a/netwerk/base/nsIOService.cpp
+++ b/netwerk/base/nsIOService.cpp
@@ -1183,9 +1183,9 @@ nsresult nsIOService::NewChannelFromURIWithProxyFlagsInternal(
     const Maybe<ServiceWorkerDescriptor>& aController, uint32_t aSecurityFlags,
     nsContentPolicyType aContentPolicyType, uint32_t aSandboxFlags,
     nsIChannel** result) {
-  nsCOMPtr<nsILoadInfo> loadInfo = new LoadInfo(
+  nsCOMPtr<nsILoadInfo> loadInfo = MOZ_TRY(LoadInfo::Create(
       aLoadingPrincipal, aTriggeringPrincipal, aLoadingNode, aSecurityFlags,
-      aContentPolicyType, aLoadingClientInfo, aController, aSandboxFlags);
+      aContentPolicyType, aLoadingClientInfo, aController, aSandboxFlags));
   return NewChannelFromURIWithProxyFlagsInternal(aURI, aProxyURI, aProxyFlags,
                                                  loadInfo, result);
 }
@@ -2158,10 +2158,10 @@ nsresult nsIOService::SpeculativeConnectInternal(
   // connection from http to https.
   nsCOMPtr<nsIURI> httpsURI;
   if (aURI->SchemeIs("http")) {
-    nsCOMPtr<nsILoadInfo> httpsOnlyCheckLoadInfo =
-        new LoadInfo(loadingPrincipal, loadingPrincipal, nullptr,
-                     nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
-                     nsIContentPolicy::TYPE_SPECULATIVE);
+    nsCOMPtr<nsILoadInfo> httpsOnlyCheckLoadInfo = MOZ_TRY(
+        LoadInfo::Create(loadingPrincipal, loadingPrincipal, nullptr,
+                         nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+                         nsIContentPolicy::TYPE_SPECULATIVE));
 
     // Check if https-only, or https-first would upgrade the request
     if (nsHTTPSOnlyUtils::ShouldUpgradeRequest(aURI, httpsOnlyCheckLoadInfo) ||
diff --git a/netwerk/base/nsNetUtil.cpp b/netwerk/base/nsNetUtil.cpp
index 134a7f3cee39..1eb16c54d6f5 100644
--- a/netwerk/base/nsNetUtil.cpp
+++ b/netwerk/base/nsNetUtil.cpp
@@ -782,9 +782,9 @@ nsresult NS_NewInputStreamChannelInternal(
     const nsACString& aContentCharset, nsINode* aLoadingNode,
     nsIPrincipal* aLoadingPrincipal, nsIPrincipal* aTriggeringPrincipal,
     nsSecurityFlags aSecurityFlags, nsContentPolicyType aContentPolicyType) {
-  nsCOMPtr<nsILoadInfo> loadInfo = new mozilla::net::LoadInfo(
-      aLoadingPrincipal, aTriggeringPrincipal, aLoadingNode, aSecurityFlags,
-      aContentPolicyType);
+  nsCOMPtr<nsILoadInfo> loadInfo = MOZ_TRY(
+      LoadInfo::Create(aLoadingPrincipal, aTriggeringPrincipal, aLoadingNode,
+                       aSecurityFlags, aContentPolicyType));
   if (!loadInfo) {
     return NS_ERROR_UNEXPECTED;
   }
@@ -847,9 +847,9 @@ nsresult NS_NewInputStreamChannelInternal(
     nsIPrincipal* aLoadingPrincipal, nsIPrincipal* aTriggeringPrincipal,
     nsSecurityFlags aSecurityFlags, nsContentPolicyType aContentPolicyType,
     bool aIsSrcdocChannel /* = false */) {
-  nsCOMPtr<nsILoadInfo> loadInfo = new mozilla::net::LoadInfo(
-      aLoadingPrincipal, aTriggeringPrincipal, aLoadingNode, aSecurityFlags,
-      aContentPolicyType);
+  nsCOMPtr<nsILoadInfo> loadInfo = MOZ_TRY(
+      net::LoadInfo::Create(aLoadingPrincipal, aTriggeringPrincipal,
+                            aLoadingNode, aSecurityFlags, aContentPolicyType));
   return NS_NewInputStreamChannelInternal(outChannel, aUri, aData, aContentType,
                                           loadInfo, aIsSrcdocChannel);
 }
diff --git a/netwerk/protocol/http/AlternateServices.cpp b/netwerk/protocol/http/AlternateServices.cpp
index ddc0114b2ac7..cfee1c2ab352 100644
--- a/netwerk/protocol/http/AlternateServices.cpp
+++ b/netwerk/protocol/http/AlternateServices.cpp
@@ -696,10 +696,10 @@ class WellKnownChecker {
 
   nsresult Start() {
     LOG(("WellKnownChecker::Start %p\n", this));
-    nsCOMPtr<nsILoadInfo> loadInfo =
-        new LoadInfo(nsContentUtils::GetSystemPrincipal(), nullptr, nullptr,
-                     nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
-                     nsIContentPolicy::TYPE_OTHER);
+    nsCOMPtr<nsILoadInfo> loadInfo = MOZ_TRY(LoadInfo::Create(
+        nsContentUtils::GetSystemPrincipal(), nullptr, nullptr,
+        nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
+        nsIContentPolicy::TYPE_OTHER));
     loadInfo->SetOriginAttributes(mCI->GetOriginAttributes());
     // allow deprecated HTTP request from SystemPrincipal
     loadInfo->SetAllowDeprecatedSystemRequests(true);
diff --git a/netwerk/protocol/websocket/BaseWebSocketChannel.cpp b/netwerk/protocol/websocket/BaseWebSocketChannel.cpp
index 6e9589afb2ef..c6194b158eb3 100644
--- a/netwerk/protocol/websocket/BaseWebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/BaseWebSocketChannel.cpp
@@ -219,10 +219,10 @@ BaseWebSocketChannel::InitLoadInfoNative(
     nsIPrincipal* aTriggeringPrincipal,
     nsICookieJarSettings* aCookieJarSettings, uint32_t aSecurityFlags,
     nsContentPolicyType aContentPolicyType, uint32_t aSandboxFlags) {
-  mLoadInfo = new LoadInfo(
+  mLoadInfo = MOZ_TRY(LoadInfo::Create(
       aLoadingPrincipal, aTriggeringPrincipal, aLoadingNode, aSecurityFlags,
       aContentPolicyType, Maybe<mozilla::dom::ClientInfo>(),
-      Maybe<mozilla::dom::ServiceWorkerDescriptor>(), aSandboxFlags);
+      Maybe<mozilla::dom::ServiceWorkerDescriptor>(), aSandboxFlags));
   if (aCookieJarSettings) {
     mLoadInfo->SetCookieJarSettings(aCookieJarSettings);
   }
diff --git a/netwerk/test/fuzz/TestHttpFuzzing.cpp b/netwerk/test/fuzz/TestHttpFuzzing.cpp
index b2f9267ef6b6..1b9e9cba9287 100644
--- a/netwerk/test/fuzz/TestHttpFuzzing.cpp
+++ b/netwerk/test/fuzz/TestHttpFuzzing.cpp
@@ -167,13 +167,15 @@ static int FuzzingRunNetworkHttp(const uint8_t* data, size_t size) {
         MOZ_CRASH("do_QueryInterface failed.");
       }
 
-      loadInfo = new LoadInfo(
-          nsContentUtils::GetSystemPrincipal(),  // loading principal
-          nsContentUtils::GetSystemPrincipal(),  // triggering principal
-          nullptr,                               // Context
-          secFlags, nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST_ASYNC,
-          Maybe<mozilla::dom::ClientInfo>(),
-          Maybe<mozilla::dom::ServiceWorkerDescriptor>(), sandboxFlags);
+      loadInfo =
+          LoadInfo::Create(
+              nsContentUtils::GetSystemPrincipal(),  // loading principal
+              nsContentUtils::GetSystemPrincipal(),  // triggering principal
+              nullptr,                               // Context
+              secFlags, nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST_ASYNC,
+              Maybe<mozilla::dom::ClientInfo>(),
+              Maybe<mozilla::dom::ServiceWorkerDescriptor>(), sandboxFlags)
+              .unwrap();
 
       rv = pph->NewProxiedChannel(url, proxyInfo,
                                   0,        // aProxyResolveFlags
diff --git a/toolkit/components/places/nsFaviconService.cpp b/toolkit/components/places/nsFaviconService.cpp
index 8840d399ef45..a6a6ac1686ae 100644
--- a/toolkit/components/places/nsFaviconService.cpp
+++ b/toolkit/components/places/nsFaviconService.cpp
@@ -277,13 +277,13 @@ nsFaviconService::SetFaviconForPage(nsIURI* aPageURI, nsIURI* aFaviconURI,
     return NS_ERROR_NULL_POINTER;
   }
 
-  nsCOMPtr<nsILoadInfo> loadInfo = new mozilla::net::LoadInfo(
+  nsCOMPtr<nsILoadInfo> loadInfo = MOZ_TRY(net::LoadInfo::Create(
       loadingPrincipal,
       nullptr,  // aTriggeringPrincipal
       nullptr,  // aLoadingNode
       nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT |
           nsILoadInfo::SEC_ALLOW_CHROME | nsILoadInfo::SEC_DISALLOW_SCRIPT,
-      nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON);
+      nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON));
 
   nsCOMPtr<nsIChannel> channel;
   rv = protocolHandler->NewChannel(aDataURL, loadInfo, getter_AddRefs(channel));
diff --git a/uriloader/preload/FetchPreloader.cpp b/uriloader/preload/FetchPreloader.cpp
index ac580aeabce3..d36eccd2987b 100644
--- a/uriloader/preload/FetchPreloader.cpp
+++ b/uriloader/preload/FetchPreloader.cpp
@@ -154,9 +154,9 @@ nsresult FetchPreloader::CheckContentPolicy(nsIURI* aURI,
     return NS_OK;
   }
 
-  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new net::LoadInfo(
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = MOZ_TRY(net::LoadInfo::Create(
       aDocument->NodePrincipal(), aDocument->NodePrincipal(), aDocument,
-      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, mContentPolicyType);
+      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, mContentPolicyType));
 
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
   nsresult rv = NS_CheckContentLoadPolicy(aURI, secCheckLoadInfo, &shouldLoad,