diff -r 8bccb770b82d -r 129ffea94266 netwerk/cookie/nsCookieService.cpp
--- a/netwerk/cookie/nsCookieService.cpp	Wed Dec 31 13:27:57 2014 +0100
+++ b/netwerk/cookie/nsCookieService.cpp	Sat Jan 03 20:18:00 2015 +0100
@@ -1635,15 +1635,20 @@
 
   bool isPrivate = aChannel && NS_UsePrivateBrowsing(aChannel);
 
+  // Double keying: First get the first party URI
   nsCOMPtr<nsIURI> firstPartyURI;
-  mThirdPartyUtil->GetFirstPartyURI(aChannel, nullptr, getter_AddRefs(firstPartyURI));
+  nsAutoCString origDomain;
   bool requireHostMatch;
-  nsAutoCString origDomain;
-  nsresult rv = GetBaseDomain(firstPartyURI, origDomain, requireHostMatch);
-  if (NS_FAILED(rv)) {
-    COOKIE_LOGFAILURE(GET_COOKIE, aHostURI, nullptr,
-                      "couldn't get base domain from URI");
+  nsresult rv = mThirdPartyUtil->GetFirstPartyIsolationURI(aChannel, nullptr, getter_AddRefs(firstPartyURI));
+  if (firstPartyURI) {
+    // Double keying: Now get the originating domain
+    rv = GetBaseDomain(firstPartyURI, origDomain, requireHostMatch);
+    if (NS_FAILED(rv)) {
+      COOKIE_LOGFAILURE(GET_COOKIE, aHostURI, nullptr,
+                        "couldn't get base domain from URI");
+    }
   }
+  //else if (NS_SUCCEEDED(rv)) {}; // Not reached, we got a originating domain!
 
   nsAutoCString result;
   GetCookieStringInternal(aHostURI, isForeign, aHttpBound, appId,
@@ -1809,7 +1814,8 @@
 
   // double keyed cookie boilerplate
   nsCOMPtr<nsIURI> firstPartyURI;
-  mThirdPartyUtil->GetFirstPartyURI(aChannel, nullptr, getter_AddRefs(firstPartyURI));
+  mThirdPartyUtil->GetFirstPartyURIFromChannel(aChannel, true, getter_AddRefs(firstPartyURI));
+  NS_ASSERTION(firstPartyURI, "couldn't get the first party URI");
   nsAutoCString origDomain;
   rv = GetBaseDomain(firstPartyURI, origDomain, requireHostMatch);
   if (NS_FAILED(rv)) {
@@ -2765,10 +2771,11 @@
   for (nsCookieEntry::IndexType i = 0; i < cookies.Length(); ++i) {
     cookie = cookies[i];
 
-    // Check the origin key. We only continue if the
-    // saved origin matches matches the origin domain.
+    // Check the origin key. We only continue if the saved
+    // origin matches matches the origin domain and a populated
+    // 'aOrigDomain' indicates that first party isolation is active
     // FIXME:MSvB, other places iterate cookies too, handle them likewise?
-    if (cookie->Origin() != aOrigDomain) {
+    if (!aOrigDomain.IsEmpty() && cookie->Origin() != aOrigDomain) {
       continue;
     }
 
@@ -4149,6 +4156,7 @@
 }
 
 // find an exact cookie specified by host, name, and path that hasn't expired.
+// reveal the cookie only if its 1st party domain matches the (optional) origin.
 bool
 nsCookieService::FindCookie(const nsCookieKey    &aKey,
                             const nsAFlatCString &aOrigin,
@@ -4167,12 +4175,13 @@
   for (nsCookieEntry::IndexType i = 0; i < cookies.Length(); ++i) {
     nsCookie *cookie = cookies[i];
 
-    if (aOrigin.Equals(cookie->Origin()) &&
-        aHost.Equals(cookie->Host()) &&
+    if (aHost.Equals(cookie->Host()) &&
         aPath.Equals(cookie->Path()) &&
         aName.Equals(cookie->Name())) {
-      aIter = nsListIter(entry, i);
-      return true;
+        if (aOrigin.IsEmpty() || aOrigin.Equals(cookie->Origin())) {
+            aIter = nsListIter(entry, i);
+            return true;
+        }
     }
   }