Backout e123e0173185, 326ed6f1dc9e & 7c2c9c988869 (bug 722979) for mochitest-a11y failures
authorEd Morley <emorley@mozilla.com>
Fri, 16 Nov 2012 15:06:13 +0000
changeset 113498 a620669085ef854488c387d21c05324241e78c97
parent 113497 e123e01731854db1aefd2b375e2385226c998bab
child 113499 a7ed19f7d21ad62f58e2c3d74642008056f578a0
child 113501 cd88e0b232bade26476cfc5d61dea85d5f8bc99d
push id23872
push useremorley@mozilla.com
push dateFri, 16 Nov 2012 17:06:27 +0000
treeherdermozilla-central@a7ed19f7d21a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs722979
milestone19.0a1
backs oute123e01731854db1aefd2b375e2385226c998bab
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backout e123e0173185, 326ed6f1dc9e & 7c2c9c988869 (bug 722979) for mochitest-a11y failures
browser/components/search/content/search.xml
content/base/test/test_websocket.html
docshell/base/nsDocShell.cpp
netwerk/base/public/nsISocketTransport.idl
netwerk/base/public/nsIStrictTransportSecurityService.idl
netwerk/base/src/nsSocketTransport2.cpp
netwerk/protocol/http/nsHttpChannel.cpp
netwerk/protocol/http/nsHttpConnectionMgr.cpp
netwerk/protocol/http/nsHttpHandler.cpp
netwerk/socket/nsISSLSocketControl.idl
netwerk/socket/nsISocketProvider.idl
netwerk/socket/nsSOCKSSocketProvider.cpp
netwerk/test/TestSTSParser.cpp
security/manager/boot/src/nsStrictTransportSecurityService.cpp
security/manager/boot/src/nsStrictTransportSecurityService.h
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/TransportSecurityInfo.h
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsNSSIOLayer.h
security/manager/ssl/src/nsSSLSocketProvider.cpp
security/manager/ssl/src/nsTLSSocketProvider.cpp
security/manager/ssl/tests/mochitest/stricttransportsecurity/test_stricttransportsecurity.html
security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing.html
security/manager/ssl/tests/unit/test_bug627234.js
security/manager/ssl/tests/unit/test_sts_preloadlist.js
security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
--- a/browser/components/search/content/search.xml
+++ b/browser/components/search/content/search.xml
@@ -493,25 +493,22 @@
         // Speculatively connect to the current engine's search URI (and
         // suggest URI, if different) to reduce request latency
 
         const SUGGEST_TYPE = "application/x-suggestions+json";
         var engine = this.currentEngine;
 	var connector =
             Services.io.QueryInterface(Components.interfaces.nsISpeculativeConnect);
         var searchURI = engine.getSubmission("dummy").uri;
-        let callbacks = window.QueryInterface(Ci.nsIInterfaceRequestor)
-                              .getInterface(Ci.nsIWebNavigation)
-                              .QueryInterface(Ci.nsILoadContext);
-        connector.speculativeConnect(searchURI, callbacks);
+        connector.speculativeConnect(searchURI, null);
 
         if (engine.supportsResponseType(SUGGEST_TYPE)) {
 	  var suggestURI = engine.getSubmission("dummy", SUGGEST_TYPE).uri;
           if (suggestURI.prePath != searchURI.prePath)
-            connector.speculativeConnect(suggestURI, callbacks);
+            connector.speculativeConnect(suggestURI, null);
         }
       ]]></handler>
     </handlers>
   </binding>
 
   <binding id="searchbar-textbox"
       extends="chrome://global/content/bindings/autocomplete.xml#autocomplete">
     <implementation implements="nsIObserver">
--- a/content/base/test/test_websocket.html
+++ b/content/base/test/test_websocket.html
@@ -1228,23 +1228,17 @@ function test41()
 
         // clean up the STS state
         netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
         const Cc = Components.classes;
         const Ci = Components.interfaces;
         var ios = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
         var thehost = ios.newURI("http://example.com", null, null);
         var stss = Cc["@mozilla.org/stsservice;1"].getService(Ci.nsIStrictTransportSecurityService);
-        var loadContext = window.QueryInterface(Ci.nsIInterfaceRequestor)
-                                .getInterface(Ci.nsIWebNavigation)
-                                .QueryInterface(Ci.nsILoadContext);
-        var flags = 0;
-        if (loadContext.usePrivateBrowsing)
-          flags |= Ci.nsISocketProvider.NO_PERMANENT_STORAGE;
-        stss.removeStsState(thehost, flags);
+        stss.removeStsState(thehost);
         doTest(42);
        }
      }
   }
 }
 
 function test42()
 {
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -109,17 +109,16 @@
 #include "nsIFileURL.h"
 #include "nsIHistoryEntry.h"
 #include "nsISHistoryListener.h"
 #include "nsIWindowWatcher.h"
 #include "nsIPromptFactory.h"
 #include "nsIObserver.h"
 #include "nsINestedURI.h"
 #include "nsITransportSecurityInfo.h"
-#include "nsISSLSocketControl.h"
 #include "nsINSSErrorsService.h"
 #include "nsIApplicationCache.h"
 #include "nsIApplicationCacheChannel.h"
 #include "nsIApplicationCacheContainer.h"
 #include "nsIPermissionManager.h"
 #include "nsStreamUtils.h"
 #include "nsIController.h"
 #include "nsPICommandUpdater.h"
@@ -4170,24 +4169,19 @@ nsDocShell::DisplayLoadError(nsresult aE
             if (errorClass == nsINSSErrorsService::ERROR_CLASS_BAD_CERT) {
                 error.AssignLiteral("nssBadCert");
 
                 // if this is a Strict-Transport-Security host and the cert
                 // is bad, don't allow overrides (STS Spec section 7.3).
                 nsCOMPtr<nsIStrictTransportSecurityService> stss =
                           do_GetService(NS_STSSERVICE_CONTRACTID, &rv);
                 NS_ENSURE_SUCCESS(rv, rv);
-                uint32_t flags = 0;
-                nsCOMPtr<nsISSLSocketControl> socketControl = do_QueryInterface(tsi);
-                if (socketControl) {
-                    socketControl->GetProviderFlags(&flags);
-                }
-                
+
                 bool isStsHost = false;
-                rv = stss->IsStsURI(aURI, flags, &isStsHost);
+                rv = stss->IsStsURI(aURI, &isStsHost);
                 NS_ENSURE_SUCCESS(rv, rv);
 
                 uint32_t bucketId;
                 if (isStsHost) {
                   cssClass.AssignLiteral("badStsCert");
                   //measuring STS separately allows us to measure click through
                   //rates easily
                   bucketId = nsISecurityUITelemetry::WARNING_BAD_CERT_STS;
--- a/netwerk/base/public/nsISocketTransport.idl
+++ b/netwerk/base/public/nsISocketTransport.idl
@@ -146,26 +146,16 @@ interface nsISocketTransport : nsITransp
 
     /**
      * If set, we will skip all IPv6 addresses the host may have and only
      * connect to IPv4 ones.
      */
     const unsigned long DISABLE_IPV6 = (1 << 2);
 
     /**
-     * If set, indicates that the connection was initiated from a source
-     * defined as being private in the sense of Private Browsing. Generally,
-     * there should be no state shared between connections that are private
-     * and those that are not; it is OK for multiple private connections
-     * to share state with each other, and it is OK for multiple non-private
-     * connections to share state with each other.
-     */
-    const unsigned long NO_PERMANENT_STORAGE = (1 << 3);
-
-    /**
      * Socket QoS/ToS markings. Valid values are IPTOS_DSCP_AFxx or
      * IPTOS_CLASS_CSx (or IPTOS_DSCP_EF, but currently no supported
      * services require expedited-forwarding).
      * Not setting this value will leave the socket with the default
      * ToS value, which on most systems if IPTOS_CLASS_CS0 (formerly
      * IPTOS_PREC_ROUTINE).
      */
     attribute octet QoSBits;
--- a/netwerk/base/public/nsIStrictTransportSecurityService.idl
+++ b/netwerk/base/public/nsIStrictTransportSecurityService.idl
@@ -3,84 +3,73 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 interface nsIURI;
 interface nsIObserver;
 interface nsIHttpChannel;
 
-[scriptable, uuid(c6138514-f212-4747-98c2-7abfce3be293)]
+[scriptable, uuid(aee925d1-2bc9-469e-9582-b27b1d6b5192)]
 interface nsIStrictTransportSecurityService : nsISupports
 {
     /**
      * Parses a given HTTP header and records the results internally.
      * The format of the STS header is defined by the STS specification:
      * http://tools.ietf.org/html/draft-hodges-strict-transport-sec
      * and allows a host to specify that future requests on port 80 should be
      * upgraded to HTTPS.
      *
      * @param aSourceURI the URI of the resource with the HTTP header.
      * @param aHeader the HTTP response header specifying STS data.
-     * @param aFlags  options for this request as defined in nsISocketProvider:
-     *                  NO_PERMANENT_STORAGE
      * @param aMaxAge the parsed max-age directive of the header.
      * @param aIncludeSubdomains the parsed includeSubdomains directive.
      * @return NS_OK            if it succeeds
      *         NS_ERROR_FAILURE if it can't be parsed
      *         NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA
      *                          if there are unrecognized tokens in the header.
      */
     void processStsHeader(in nsIURI aSourceURI,
                           in string aHeader,
-                          in uint32_t aFlags,
                           [optional] out unsigned long long aMaxAge,
                           [optional] out boolean aIncludeSubdomains);
 
     /**
      * Removes the STS state of a host, including the includeSubdomains state
      * that would affect subdomains.  This essentially removes STS state for
      * the domain tree rooted at this host.
-     * @param aURI    the URI of the target host
-     * @param aFlags  options for this request as defined in nsISocketProvider:
-     *                  NO_PERMANENT_STORAGE
      */
-    void removeStsState(in nsIURI aURI,
-                        in uint32_t aFlags);
+    void removeStsState(in nsIURI aURI);
 
     /**
      * Checks if the given security info is for an STS host with a broken
      * transport layer (certificate errors like invalid CN).
      */
     boolean shouldIgnoreStsHeader(in nsISupports aSecurityInfo);
 
     /**
      * Checks whether or not the given hostname has STS state set.
      * The host is an STS host if either it has the STS permission, or one of
      * its super-domains has an STS "includeSubdomains" permission set.
      *
      * @param aHost the hostname (punycode) to query for STS state.
-     * @param aFlags  options for this request as defined in nsISocketProvider:
-     *                  NO_PERMANENT_STORAGE
      */
-    boolean isStsHost(in string aHost, in uint32_t aFlags);
+    boolean isStsHost(in string aHost);
 
     /**
      * Checks whether or not the URI's hostname has STS state set.
      * The URI is an STS URI if either the host has the STS permission, or one
      * of its super-domains has an STS "includeSubdomains" permission set.
      * NOTE: this function makes decisions based only on the scheme and
      * host contained in the URI, and disregards other portions of the URI
      * such as path and port.
      *
      * @param aURI the URI to query for STS state.
-     * @param aFlags  options for this request as defined in nsISocketProvider:
-     *                  NO_PERMANENT_STORAGE
      */
-    boolean isStsURI(in nsIURI aURI, in uint32_t aFlags);
+    boolean isStsURI(in nsIURI aURI);
 
 };
 
 %{C++
 #define NS_STSSERVICE_CONTRACTID "@mozilla.org/stsservice;1"
 #define NS_STSSERVICE_CLASSNAME "stsservice"
 
 #define STS_PERMISSION "sts/use"
--- a/netwerk/base/src/nsSocketTransport2.cpp
+++ b/netwerk/base/src/nsSocketTransport2.cpp
@@ -972,19 +972,16 @@ nsSocketTransport::BuildSocket(PRFileDes
                 break;
 
             if (mProxyTransparentResolvesHost)
                 proxyFlags |= nsISocketProvider::PROXY_RESOLVES_HOST;
             
             if (mConnectionFlags & nsISocketTransport::ANONYMOUS_CONNECT)
                 proxyFlags |= nsISocketProvider::ANONYMOUS_CONNECT;
 
-            if (mConnectionFlags & nsISocketTransport::NO_PERMANENT_STORAGE)
-                proxyFlags |= nsISocketProvider::NO_PERMANENT_STORAGE;
-
             nsCOMPtr<nsISupports> secinfo;
             if (i == 0) {
                 // if this is the first type, we'll want the 
                 // service to allocate a new socket
                 rv = provider->NewSocket(mNetAddr.raw.family,
                                          host, port, proxyHost, proxyPort,
                                          proxyFlags, &fd,
                                          getter_AddRefs(secinfo));
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -365,18 +365,17 @@ nsHttpChannel::Connect()
     NS_ENSURE_SUCCESS(rv,rv);
 
     if (!usingSSL) {
         // enforce Strict-Transport-Security
         nsIStrictTransportSecurityService* stss = gHttpHandler->GetSTSService();
         NS_ENSURE_TRUE(stss, NS_ERROR_OUT_OF_MEMORY);
 
         bool isStsHost = false;
-        uint32_t flags = mPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
-        rv = stss->IsStsURI(mURI, flags, &isStsHost);
+        rv = stss->IsStsURI(mURI, &isStsHost);
 
         // if STS fails, there's no reason to cancel the load, but it's
         // worrisome.
         NS_ASSERTION(NS_SUCCEEDED(rv),
                      "Something is wrong with STS: IsStsURI failed.");
 
         if (NS_SUCCEEDED(rv) && isStsHost) {
             LOG(("nsHttpChannel::Connect() STS permissions found\n"));
@@ -1108,19 +1107,17 @@ nsHttpChannel::ProcessSTSHeader()
     NS_ENSURE_SUCCESS(rv, NS_OK);
 
     // If this was already an STS host, the connection should have been aborted
     // by the bad cert handler in the case of cert errors.  If it didn't abort the connection,
     // there's probably something funny going on.
     // If this wasn't an STS host, errors are allowed, but no more STS processing
     // will happen during the session.
     bool wasAlreadySTSHost;
-    uint32_t flags =
-      NS_UsePrivateBrowsing(this) ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
-    rv = stss->IsStsURI(mURI, flags, &wasAlreadySTSHost);
+    rv = stss->IsStsURI(mURI, &wasAlreadySTSHost);
     // Failure here means STS is broken.  Don't prevent the load, but this
     // shouldn't fail.
     NS_ENSURE_SUCCESS(rv, NS_OK);
     NS_ASSERTION(!(wasAlreadySTSHost && tlsIsBroken),
                  "connection should have been aborted by nss-bad-cert-handler");
 
     // Any STS header is ignored if the channel is not trusted due to
     // certificate errors (STS Spec 7.1) -- there is nothing else to do, and
@@ -1138,17 +1135,17 @@ nsHttpChannel::ProcessSTSHeader()
     rv = mResponseHead->GetHeader(atom, stsHeader);
     if (rv == NS_ERROR_NOT_AVAILABLE) {
         LOG(("STS: No STS header, continuing load.\n"));
         return NS_OK;
     }
     // All other failures are fatal.
     NS_ENSURE_SUCCESS(rv, rv);
 
-    rv = stss->ProcessStsHeader(mURI, stsHeader.get(), flags, NULL, NULL);
+    rv = stss->ProcessStsHeader(mURI, stsHeader.get(), NULL, NULL);
     if (NS_FAILED(rv)) {
         LOG(("STS: Failed to parse STS header, continuing load.\n"));
         return NS_OK;
     }
 
     return NS_OK;
 }
 
--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp
+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
@@ -2452,19 +2452,16 @@ nsHalfOpenSocket::SetupStreams(nsISocket
     
     uint32_t tmpFlags = 0;
     if (mCaps & NS_HTTP_REFRESH_DNS)
         tmpFlags = nsISocketTransport::BYPASS_CACHE;
 
     if (mCaps & NS_HTTP_LOAD_ANONYMOUS)
         tmpFlags |= nsISocketTransport::ANONYMOUS_CONNECT;
 
-    if (mEnt->mConnInfo->GetPrivate())
-        tmpFlags |= nsISocketTransport::NO_PERMANENT_STORAGE;
-
     // For backup connections, we disable IPv6. That's because some users have
     // broken IPv6 connectivity (leading to very long timeouts), and disabling
     // IPv6 on the backup connection gives them a much better user experience
     // with dual-stack hosts, though they still pay the 250ms delay for each new
     // connection. This strategy is also known as "happy eyeballs".
     if (isBackup && gHttpHandler->FastFallbackToIPv4())
         tmpFlags |= nsISocketTransport::DISABLE_IPV6;
 
--- a/netwerk/protocol/http/nsHttpHandler.cpp
+++ b/netwerk/protocol/http/nsHttpHandler.cpp
@@ -1615,22 +1615,18 @@ NS_IMETHODIMP
 nsHttpHandler::SpeculativeConnect(nsIURI *aURI,
                                   nsIInterfaceRequestor *aCallbacks)
 {
     nsIStrictTransportSecurityService* stss = gHttpHandler->GetSTSService();
     bool isStsHost = false;
     if (!stss)
         return NS_OK;
 
-    nsCOMPtr<nsILoadContext> loadContext = do_GetInterface(aCallbacks);
-    uint32_t flags = 0;
-    if (loadContext && loadContext->UsePrivateBrowsing())
-        flags |= nsISocketProvider::NO_PERMANENT_STORAGE;
     nsCOMPtr<nsIURI> clone;
-    if (NS_SUCCEEDED(stss->IsStsURI(aURI, flags, &isStsHost)) && isStsHost) {
+    if (NS_SUCCEEDED(stss->IsStsURI(aURI, &isStsHost)) && isStsHost) {
         if (NS_SUCCEEDED(aURI->Clone(getter_AddRefs(clone)))) {
             clone->SetScheme(NS_LITERAL_CSTRING("https"));
             aURI = clone.get();
         }
     }
 
     nsAutoCString scheme;
     nsresult rv = aURI->GetScheme(scheme);
--- a/netwerk/socket/nsISSLSocketControl.idl
+++ b/netwerk/socket/nsISSLSocketControl.idl
@@ -9,17 +9,17 @@
 interface nsIInterfaceRequestor;
 
 %{C++
 #include "nsTArray.h"
 class nsCString;
 %}
 [ref] native nsCStringTArrayRef(nsTArray<nsCString>);
 
-[scriptable, uuid(bb2bb490-3ba4-4254-b8f5-8b43c7b714ea)]
+[scriptable, uuid(753f0f13-681d-4de3-a6c6-11aa7e0b3afd)]
 interface nsISSLSocketControl : nsISupports {
     attribute nsIInterfaceRequestor     notificationCallbacks;
 
     void proxyStartSSL();
     void StartTLS();
 
     /* NPN (Next Protocol Negotiation) is a mechanism for
        negotiating the protocol to be spoken inside the SSL
@@ -44,15 +44,11 @@ interface nsISSLSocketControl : nsISuppo
     /* Determine if a potential SSL connection to hostname:port with
      * a desired NPN negotiated protocol of npnProtocol can use the socket
      * associated with this object instead of making a new one.
      */
     boolean joinConnection(
       in ACString npnProtocol, /* e.g. "spdy/2" */
       in ACString hostname,
       in long port);
-
-    /*
-     * The original flags from the socket provider.
-     */
-    readonly attribute uint32_t providerFlags;
+    
 };
 
--- a/netwerk/socket/nsISocketProvider.idl
+++ b/netwerk/socket/nsISocketProvider.idl
@@ -76,26 +76,17 @@ interface nsISocketProvider : nsISupport
     
     /**
      * When setting this flag, the socket will not apply any
      * credentials when establishing a connection. For example,
      * an SSL connection would not send any client-certificates
      * if this flag is set.
      */
     const long ANONYMOUS_CONNECT = 1 << 1;
-
-    /**
-     * If set, indicates that the connection was initiated from a source
-     * defined as being private in the sense of Private Browsing. Generally,
-     * there should be no state shared between connections that are private
-     * and those that are not; it is OK for multiple private connections
-     * to share state with each other, and it is OK for multiple non-private
-     * connections to share state with each other.
-     */
-    const unsigned long NO_PERMANENT_STORAGE = 1 << 2;
+    
 };
 
 %{C++
 /**
  * nsISocketProvider implementations should be registered with XPCOM under a
  * contract ID of the form: "@mozilla.org/network/socket;2?type=foo"
  */
 #define NS_NETWORK_SOCKET_CONTRACTID_PREFIX \
--- a/netwerk/socket/nsSOCKSSocketProvider.cpp
+++ b/netwerk/socket/nsSOCKSSocketProvider.cpp
@@ -42,17 +42,17 @@ nsSOCKSSocketProvider::CreateV5(nsISuppo
 
 NS_IMETHODIMP
 nsSOCKSSocketProvider::NewSocket(int32_t family,
                                  const char *host, 
                                  int32_t port,
                                  const char *proxyHost,
                                  int32_t proxyPort,
                                  uint32_t flags,
-                                 PRFileDesc **result,
+                                 PRFileDesc **result, 
                                  nsISupports **socksInfo)
 {
     PRFileDesc *sock;
     
     sock = PR_OpenTCPSocket(family);
     if (!sock)
         return NS_ERROR_OUT_OF_MEMORY;
 
@@ -75,17 +75,17 @@ nsSOCKSSocketProvider::NewSocket(int32_t
 
 NS_IMETHODIMP
 nsSOCKSSocketProvider::AddToSocket(int32_t family,
                                    const char *host,
                                    int32_t port,
                                    const char *proxyHost,
                                    int32_t proxyPort,
                                    uint32_t flags,
-                                   PRFileDesc *sock,
+                                   PRFileDesc *sock, 
                                    nsISupports **socksInfo)
 {
     nsresult rv = nsSOCKSIOLayerAddToSocket(family,
                                             host, 
                                             port,
                                             proxyHost,
                                             proxyPort,
                                             mVersion,
--- a/netwerk/test/TestSTSParser.cpp
+++ b/netwerk/test/TestSTSParser.cpp
@@ -44,17 +44,17 @@ TestSuccess(const char* hdr, bool extraT
             nsIPermissionManager* pm)
 {
   nsCOMPtr<nsIURI> dummyUri;
   nsresult rv = NS_NewURI(getter_AddRefs(dummyUri), "https://foo.com/bar.html");
   EXPECT_SUCCESS(rv, "Failed to create URI");
 
   uint64_t maxAge = 0;
   bool includeSubdomains = false;
-  rv = stss->ProcessStsHeader(dummyUri, hdr, 0, &maxAge, &includeSubdomains);
+  rv = stss->ProcessStsHeader(dummyUri, hdr, &maxAge, &includeSubdomains);
   EXPECT_SUCCESS(rv, "Failed to process valid header: %s", hdr);
 
   REQUIRE_EQUAL(maxAge, expectedMaxAge, "Did not correctly parse maxAge");
   REQUIRE_EQUAL(includeSubdomains, expectedIncludeSubdomains, "Did not correctly parse presence/absence of includeSubdomains");
 
   if (extraTokens) {
     REQUIRE_EQUAL(rv, NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA,
                   "Extra tokens were expected when parsing, but were not encountered.");
@@ -69,17 +69,17 @@ TestSuccess(const char* hdr, bool extraT
 bool TestFailure(const char* hdr,
                    nsIStrictTransportSecurityService* stss,
                    nsIPermissionManager* pm)
 {
   nsCOMPtr<nsIURI> dummyUri;
   nsresult rv = NS_NewURI(getter_AddRefs(dummyUri), "https://foo.com/bar.html");
   EXPECT_SUCCESS(rv, "Failed to create URI");
 
-  rv = stss->ProcessStsHeader(dummyUri, hdr, 0, NULL, NULL);
+  rv = stss->ProcessStsHeader(dummyUri, hdr, NULL, NULL);
   EXPECT_FAILURE(rv, "Parsed invalid header: %s", hdr);
   passed(hdr);
   return true;
 }
 
 
 int
 main(int32_t argc, char *argv[])
--- a/security/manager/boot/src/nsStrictTransportSecurityService.cpp
+++ b/security/manager/boot/src/nsStrictTransportSecurityService.cpp
@@ -2,25 +2,25 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "plstr.h"
 #include "prlog.h"
 #include "prprf.h"
 #include "nsCRTGlue.h"
 #include "nsIPermissionManager.h"
+#include "nsIPrivateBrowsingService.h"
 #include "nsISSLStatus.h"
 #include "nsISSLStatusProvider.h"
 #include "nsStrictTransportSecurityService.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "nsThreadUtils.h"
 #include "nsStringGlue.h"
 #include "nsIScriptSecurityManager.h"
-#include "nsISocketProvider.h"
 #include "mozilla/Preferences.h"
 
 // A note about the preload list:
 // When a site specifically disables sts by sending a header with
 // 'max-age: 0', we keep a "knockout" value that means "we have no information
 // regarding the sts state of this host" (any ancestor of "this host" can still
 // influence its sts status via include subdomains, however).
 // This prevents the preload list from overriding the site's current
@@ -70,17 +70,17 @@ nsSTSHostEntry::nsSTSHostEntry(const nsS
   , mIncludeSubdomains(toCopy.mIncludeSubdomains)
 {
 }
 
 ////////////////////////////////////////////////////////////////////////////////
 
 
 nsStrictTransportSecurityService::nsStrictTransportSecurityService()
-  : mUsePreloadList(true)
+  : mInPrivateMode(false), mUsePreloadList(true)
 {
 }
 
 nsStrictTransportSecurityService::~nsStrictTransportSecurityService()
 {
 }
 
 NS_IMPL_THREADSAFE_ISUPPORTS2(nsStrictTransportSecurityService,
@@ -90,23 +90,30 @@ NS_IMPL_THREADSAFE_ISUPPORTS2(nsStrictTr
 nsresult
 nsStrictTransportSecurityService::Init()
 {
    nsresult rv;
 
    mPermMgr = do_GetService(NS_PERMISSIONMANAGER_CONTRACTID, &rv);
    NS_ENSURE_SUCCESS(rv, rv);
 
+   // figure out if we're starting in private browsing mode
+   nsCOMPtr<nsIPrivateBrowsingService> pbs =
+     do_GetService(NS_PRIVATE_BROWSING_SERVICE_CONTRACTID);
+   if (pbs)
+     pbs->GetPrivateBrowsingEnabled(&mInPrivateMode);
+
    mUsePreloadList = mozilla::Preferences::GetBool("network.stricttransportsecurity.preloadlist", true);
    mozilla::Preferences::AddStrongObserver(this, "network.stricttransportsecurity.preloadlist");
    mObserverService = mozilla::services::GetObserverService();
    if (mObserverService)
-     mObserverService->AddObserver(this, "last-pb-context-exited", false);
+     mObserverService->AddObserver(this, NS_PRIVATE_BROWSING_SWITCH_TOPIC, false);
 
-   mPrivateModeHostTable.Init();
+   if (mInPrivateMode)
+     mPrivateModeHostTable.Init();
 
    return NS_OK;
 }
 
 nsresult
 nsStrictTransportSecurityService::GetHost(nsIURI *aURI, nsACString &aResult)
 {
   nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(aURI);
@@ -141,92 +148,83 @@ nsStrictTransportSecurityService::GetPri
   // We want all apps to share HSTS state, so this is one of the few places
   // where we do not silo persistent state by extended origin.
   return securityManager->GetNoAppCodebasePrincipal(uri, aPrincipal);
 }
 
 nsresult
 nsStrictTransportSecurityService::SetStsState(nsIURI* aSourceURI,
                                               int64_t maxage,
-                                              bool includeSubdomains,
-                                              uint32_t flags)
+                                              bool includeSubdomains)
 {
   // If max-age is zero, that's an indication to immediately remove the
   // permissions, so here's a shortcut.
-  if (!maxage) {
-    return RemoveStsState(aSourceURI, flags);
-  }
+  if (!maxage)
+    return RemoveStsState(aSourceURI);
 
   // Expire time is millis from now.  Since STS max-age is in seconds, and
   // PR_Now() is in micros, must equalize the units at milliseconds.
   int64_t expiretime = (PR_Now() / PR_USEC_PER_MSEC) +
                        (maxage * PR_MSEC_PER_SEC);
 
-  bool isPrivate = flags & nsISocketProvider::NO_PERMANENT_STORAGE;
-
   // record entry for this host with max-age in the permissions manager
   STSLOG(("STS: maxage permission SET, adding permission\n"));
   nsresult rv = AddPermission(aSourceURI,
                               STS_PERMISSION,
                               (uint32_t) STS_SET,
                               (uint32_t) nsIPermissionManager::EXPIRE_TIME,
-                              expiretime,
-                              isPrivate);
+                              expiretime);
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (includeSubdomains) {
     // record entry for this host with include subdomains in the permissions manager
     STSLOG(("STS: subdomains permission SET, adding permission\n"));
     rv = AddPermission(aSourceURI,
                        STS_SUBDOMAIN_PERMISSION,
                        (uint32_t) STS_SET,
                        (uint32_t) nsIPermissionManager::EXPIRE_TIME,
-                       expiretime,
-                       isPrivate);
+                       expiretime);
     NS_ENSURE_SUCCESS(rv, rv);
   } else { // !includeSubdomains
     nsAutoCString hostname;
     rv = GetHost(aSourceURI, hostname);
     NS_ENSURE_SUCCESS(rv, rv);
 
     STSLOG(("STS: subdomains permission UNSET, removing any existing ones\n"));
-    rv = RemovePermission(hostname, STS_SUBDOMAIN_PERMISSION, isPrivate);
+    rv = RemovePermission(hostname, STS_SUBDOMAIN_PERMISSION);
     NS_ENSURE_SUCCESS(rv, rv);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsStrictTransportSecurityService::RemoveStsState(nsIURI* aURI, uint32_t aFlags)
+nsStrictTransportSecurityService::RemoveStsState(nsIURI* aURI)
 {
   // Should be called on the main thread (or via proxy) since the permission
   // manager is used and it's not threadsafe.
   NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_UNEXPECTED);
 
   nsAutoCString hostname;
   nsresult rv = GetHost(aURI, hostname);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  bool isPrivate = aFlags & nsISocketProvider::NO_PERMANENT_STORAGE;
-
-  rv = RemovePermission(hostname, STS_PERMISSION, isPrivate);
+  rv = RemovePermission(hostname, STS_PERMISSION);
   NS_ENSURE_SUCCESS(rv, rv);
   STSLOG(("STS: deleted maxage permission\n"));
 
-  rv = RemovePermission(hostname, STS_SUBDOMAIN_PERMISSION, isPrivate);
+  rv = RemovePermission(hostname, STS_SUBDOMAIN_PERMISSION);
   NS_ENSURE_SUCCESS(rv, rv);
   STSLOG(("STS: deleted subdomains permission\n"));
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsStrictTransportSecurityService::ProcessStsHeader(nsIURI* aSourceURI,
                                                    const char* aHeader,
-                                                   uint32_t aFlags,
                                                    uint64_t *aMaxAge,
                                                    bool *aIncludeSubdomains)
 {
   // Should be called on the main thread (or via proxy) since the permission
   // manager is used and it's not threadsafe.
   NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_UNEXPECTED);
 
   if (aMaxAge != nullptr) {
@@ -234,26 +232,25 @@ nsStrictTransportSecurityService::Proces
   }
 
   if (aIncludeSubdomains != nullptr) {
     *aIncludeSubdomains = false;
   }
 
   char * header = NS_strdup(aHeader);
   if (!header) return NS_ERROR_OUT_OF_MEMORY;
-  nsresult rv = ProcessStsHeaderMutating(aSourceURI, header, aFlags,
-                                         aMaxAge, aIncludeSubdomains);
+  nsresult rv = ProcessStsHeaderMutating(aSourceURI, header, aMaxAge,
+                                         aIncludeSubdomains);
   NS_Free(header);
   return rv;
 }
 
 nsresult
 nsStrictTransportSecurityService::ProcessStsHeaderMutating(nsIURI* aSourceURI,
                                                            char* aHeader,
-                                                           uint32_t aFlags,
                                                            uint64_t *aMaxAge,
                                                            bool *aIncludeSubdomains)
 {
   STSLOG(("STS: ProcessStrictTransportHeader(%s)\n", aHeader));
 
   // "Strict-Transport-Security" ":" OWS
   //      STS-d  *( OWS ";" OWS STS-d  OWS)
   //
@@ -336,44 +333,44 @@ nsStrictTransportSecurityService::Proces
   }
 
   // after processing all the directives, make sure we came across max-age
   // somewhere.
   STS_PARSER_FAIL_IF(!foundMaxAge,
               ("Parse ERROR: couldn't locate max-age token\n"));
 
   // record the successfully parsed header data.
-  SetStsState(aSourceURI, maxAge, includeSubdomains, aFlags);
+  SetStsState(aSourceURI, maxAge, includeSubdomains);
 
   if (aMaxAge != nullptr) {
     *aMaxAge = (uint64_t)maxAge;
   }
 
   if (aIncludeSubdomains != nullptr) {
     *aIncludeSubdomains = includeSubdomains;
   }
 
   return foundUnrecognizedTokens ?
          NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA :
          NS_OK;
 }
 
 NS_IMETHODIMP
-nsStrictTransportSecurityService::IsStsHost(const char* aHost, uint32_t aFlags, bool* aResult)
+nsStrictTransportSecurityService::IsStsHost(const char* aHost, bool* aResult)
 {
   // Should be called on the main thread (or via proxy) since the permission
   // manager is used and it's not threadsafe.
   NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_UNEXPECTED);
 
   nsCOMPtr<nsIURI> uri;
   nsDependentCString hostString(aHost);
   nsresult rv = NS_NewURI(getter_AddRefs(uri),
                           NS_LITERAL_CSTRING("https://") + hostString);
   NS_ENSURE_SUCCESS(rv, rv);
-  return IsStsURI(uri, aFlags, aResult);
+  return IsStsURI(uri, aResult);
 }
 
 int STSPreloadCompare(const void *key, const void *entry)
 {
   const char *keyStr = (const char *)key;
   const nsSTSPreload *preloadEntry = (const nsSTSPreload *)entry;
   return strcmp(keyStr, preloadEntry->mHost);
 }
@@ -399,34 +396,33 @@ nsStrictTransportSecurityService::GetPre
                                           sizeof(nsSTSPreload),
                                           STSPreloadCompare);
   }
 
   return nullptr;
 }
 
 NS_IMETHODIMP
-nsStrictTransportSecurityService::IsStsURI(nsIURI* aURI, uint32_t aFlags, bool* aResult)
+nsStrictTransportSecurityService::IsStsURI(nsIURI* aURI, bool* aResult)
 {
   // Should be called on the main thread (or via proxy) since the permission
   // manager is used and it's not threadsafe.
   NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_UNEXPECTED);
 
   // set default in case if we can't find any STS information
   *aResult = false;
 
   nsAutoCString host;
   nsresult rv = GetHost(aURI, host);
   NS_ENSURE_SUCCESS(rv, rv);
 
   const nsSTSPreload *preload = nullptr;
   nsSTSHostEntry *pbEntry = nullptr;
 
-  bool isPrivate = aFlags & nsISocketProvider::NO_PERMANENT_STORAGE;
-  if (isPrivate) {
+  if (mInPrivateMode) {
     pbEntry = mPrivateModeHostTable.GetEntry(host.get());
   }
 
   nsCOMPtr<nsIPrincipal> principal;
   rv = GetPrincipalForURI(aURI, getter_AddRefs(principal));
   NS_ENSURE_SUCCESS(rv, rv);
 
   uint32_t permMgrPermission;
@@ -478,17 +474,17 @@ nsStrictTransportSecurityService::IsStsU
 
     subdomain = host.get() + offset;
 
     // If we get an empty string, don't continue.
     if (strlen(subdomain) < 1) {
       break;
     }
 
-    if (isPrivate) {
+    if (mInPrivateMode) {
       pbEntry = mPrivateModeHostTable.GetEntry(subdomain);
     }
 
     // normalize all URIs with https://
     rv = NS_NewURI(getter_AddRefs(domainWalkURI),
                    NS_LITERAL_CSTRING("https://") + Substring(host, offset));
     NS_ENSURE_SUCCESS(rv, rv);
 
@@ -579,18 +575,30 @@ nsStrictTransportSecurityService::Should
 // nsStrictTransportSecurityService::nsIObserver
 //------------------------------------------------------------
 
 NS_IMETHODIMP
 nsStrictTransportSecurityService::Observe(nsISupports *subject,
                                           const char *topic,
                                           const PRUnichar *data)
 {
-  if (strcmp(topic, "last-pb-context-exited") == 0) {
-    mPrivateModeHostTable.Clear();
+  if (strcmp(topic, NS_PRIVATE_BROWSING_SWITCH_TOPIC) == 0) {
+    if(NS_LITERAL_STRING(NS_PRIVATE_BROWSING_ENTER).Equals(data)) {
+      // Indication to start recording stuff locally and not writing changes
+      // out to the permission manager.
+
+      if (!mPrivateModeHostTable.IsInitialized()) {
+        mPrivateModeHostTable.Init();
+      }
+      mInPrivateMode = true;
+    }
+    else if (NS_LITERAL_STRING(NS_PRIVATE_BROWSING_LEAVE).Equals(data)) {
+      mPrivateModeHostTable.Clear();
+      mInPrivateMode = false;
+    }
   }
   else if (strcmp(topic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
     mUsePreloadList = mozilla::Preferences::GetBool("network.stricttransportsecurity.preloadlist", true);
   }
 
   return NS_OK;
 }
 
@@ -598,22 +606,21 @@ nsStrictTransportSecurityService::Observ
 // Functions to overlay the permission manager calls in case
 // we're in private browsing mode.
 //------------------------------------------------------------
 nsresult
 nsStrictTransportSecurityService::AddPermission(nsIURI     *aURI,
                                                 const char *aType,
                                                 uint32_t   aPermission,
                                                 uint32_t   aExpireType,
-                                                int64_t    aExpireTime,
-                                                bool       aIsPrivate)
+                                                int64_t    aExpireTime)
 {
     // Private mode doesn't address user-set (EXPIRE_NEVER) permissions: let
     // those be stored persistently.
-    if (!aIsPrivate || aExpireType == nsIPermissionManager::EXPIRE_NEVER) {
+    if (!mInPrivateMode || aExpireType == nsIPermissionManager::EXPIRE_NEVER) {
       // Not in private mode, or manually-set permission
       nsCOMPtr<nsIPrincipal> principal;
       nsresult rv = GetPrincipalForURI(aURI, getter_AddRefs(principal));
       NS_ENSURE_SUCCESS(rv, rv);
 
       return mPermMgr->AddFromPrincipal(principal, aType, aPermission,
                                         aExpireType, aExpireTime);
     }
@@ -655,31 +662,30 @@ nsStrictTransportSecurityService::AddPer
 
     // Also refresh the expiration time.
     entry->SetExpireTime(aExpireTime);
     return NS_OK;
 }
 
 nsresult
 nsStrictTransportSecurityService::RemovePermission(const nsCString  &aHost,
-                                                   const char       *aType,
-                                                   bool aIsPrivate)
+                                                   const char       *aType)
 {
     // Build up a principal for use with the permission manager.
     // normalize all URIs with https://
     nsCOMPtr<nsIURI> uri;
     nsresult rv = NS_NewURI(getter_AddRefs(uri),
                             NS_LITERAL_CSTRING("https://") + aHost);
     NS_ENSURE_SUCCESS(rv, rv);
 
     nsCOMPtr<nsIPrincipal> principal;
     rv = GetPrincipalForURI(uri, getter_AddRefs(principal));
     NS_ENSURE_SUCCESS(rv, rv);
 
-    if (!aIsPrivate) {
+    if (!mInPrivateMode) {
       // Not in private mode: remove permissions persistently.
       // This means setting the permission to STS_KNOCKOUT in case
       // this host is on the preload list (so we can override it).
       return mPermMgr->AddFromPrincipal(principal, aType,
                                         STS_KNOCKOUT,
                                         nsIPermissionManager::EXPIRE_NEVER, 0);
     }
 
--- a/security/manager/boot/src/nsStrictTransportSecurityService.h
+++ b/security/manager/boot/src/nsStrictTransportSecurityService.h
@@ -130,33 +130,32 @@ public:
 
   nsStrictTransportSecurityService();
   nsresult Init();
   virtual ~nsStrictTransportSecurityService();
 
 private:
   nsresult GetHost(nsIURI *aURI, nsACString &aResult);
   nsresult GetPrincipalForURI(nsIURI *aURI, nsIPrincipal **aPrincipal);
-  nsresult SetStsState(nsIURI* aSourceURI, int64_t maxage, bool includeSubdomains, uint32_t flags);
-  nsresult ProcessStsHeaderMutating(nsIURI* aSourceURI, char* aHeader, uint32_t flags,
+  nsresult SetStsState(nsIURI* aSourceURI, int64_t maxage, bool includeSubdomains);
+  nsresult ProcessStsHeaderMutating(nsIURI* aSourceURI, char* aHeader,
                                     uint64_t *aMaxAge, bool *aIncludeSubdomains);
   const nsSTSPreload *GetPreloadListEntry(const char *aHost);
 
   // private-mode-preserving permission manager overlay functions
   nsresult AddPermission(nsIURI     *aURI,
                          const char *aType,
                          uint32_t   aPermission,
                          uint32_t   aExpireType,
-                         int64_t    aExpireTime,
-                         bool       aIsPrivate);
+                         int64_t    aExpireTime);
   nsresult RemovePermission(const nsCString  &aHost,
-                            const char       *aType,
-                            bool              aIsPrivate);
+                            const char       *aType);
 
   // cached services
   nsCOMPtr<nsIPermissionManager> mPermMgr;
   nsCOMPtr<nsIObserverService> mObserverService;
 
+  bool mInPrivateMode;
   nsTHashtable<nsSTSHostEntry> mPrivateModeHostTable;
   bool mUsePreloadList;
 };
 
 #endif // __nsStrictTransportSecurityService_h__
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -288,24 +288,17 @@ CertErrorRunnable::CheckCertOverrides()
 
   // Enforce Strict-Transport-Security for hosts that are "STS" hosts:
   // connections must be dropped when there are any certificate errors
   // (STS Spec section 7.3).
   bool strictTransportSecurityEnabled = false;
   nsCOMPtr<nsIStrictTransportSecurityService> stss
     = do_GetService(NS_STSSERVICE_CONTRACTID, &nsrv);
   if (NS_SUCCEEDED(nsrv)) {
-    nsCOMPtr<nsISSLSocketControl> sslSocketControl = do_QueryInterface(
-      NS_ISUPPORTS_CAST(nsITransportSecurityInfo*, mInfoObject));
-    uint32_t flags = 0;
-    if (sslSocketControl) {
-      sslSocketControl->GetProviderFlags(&flags);
-    }
     nsrv = stss->IsStsHost(mInfoObject->GetHostName(),
-                           flags,
                            &strictTransportSecurityEnabled);
   }
   if (NS_FAILED(nsrv)) {
     return new SSLServerCertVerificationResult(mInfoObject,
                                                mDefaultErrorCodeToReport);
   }
 
   if (!strictTransportSecurityEnabled) {
--- a/security/manager/ssl/src/TransportSecurityInfo.h
+++ b/security/manager/ssl/src/TransportSecurityInfo.h
@@ -12,17 +12,16 @@
 #include "mozilla/RefPtr.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsITransportSecurityInfo.h"
 #include "nsSSLStatus.h"
 #include "nsISSLStatusProvider.h"
 #include "nsIAssociatedContentSecurity.h"
 #include "nsNSSShutDown.h"
 #include "nsDataHashtable.h"
-#include "nsISocketTransport.h"
 
 namespace mozilla { namespace psm {
 
 enum SSLErrorMessageType {
   OverridableCertErrorMessage  = 1, // for *overridable* certificate errors
   PlainErrorMessage = 2             // all other errors (or "no error")
 };
 
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -56,48 +56,40 @@ static NS_DEFINE_CID(kNSSComponentCID, N
 typedef enum {ASK, AUTO} SSM_UserCertChoice;
 
 } // unnamed namespace
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
-nsNSSSocketInfo::nsNSSSocketInfo(uint32_t providerFlags)
+nsNSSSocketInfo::nsNSSSocketInfo()
   : mFd(nullptr),
     mCertVerificationState(before_cert_verification),
     mForSTARTTLS(false),
     mSSL3Enabled(false),
     mTLSEnabled(false),
     mHandshakePending(true),
     mHasCleartextPhase(false),
     mHandshakeInProgress(false),
     mAllowTLSIntoleranceTimeout(true),
     mRememberClientAuthCertificate(false),
     mHandshakeStartTime(0),
     mFirstServerHelloReceived(false),
     mNPNCompleted(false),
     mHandshakeCompleted(false),
     mJoined(false),
-    mSentClientCert(false),
-    mProviderFlags(providerFlags)
+    mSentClientCert(false)
 {
 }
 
 NS_IMPL_ISUPPORTS_INHERITED2(nsNSSSocketInfo, TransportSecurityInfo,
                              nsISSLSocketControl,
                              nsIClientAuthUserDecision)
 
-NS_IMETHODIMP
-nsNSSSocketInfo::GetProviderFlags(uint32_t* aProviderFlags)
-{
-  *aProviderFlags = mProviderFlags;
-  return NS_OK;
-}
-
 nsresult
 nsNSSSocketInfo::GetHandshakePending(bool *aHandshakePending)
 {
   *aHandshakePending = mHandshakePending;
   return NS_OK;
 }
 
 nsresult
@@ -1315,24 +1307,24 @@ nsresult
 nsSSLIOLayerNewSocket(int32_t family,
                       const char *host,
                       int32_t port,
                       const char *proxyHost,
                       int32_t proxyPort,
                       PRFileDesc **fd,
                       nsISupports** info,
                       bool forSTARTTLS,
-                      uint32_t flags)
+                      bool anonymousLoad)
 {
 
   PRFileDesc* sock = PR_OpenTCPSocket(family);
   if (!sock) return NS_ERROR_OUT_OF_MEMORY;
 
   nsresult rv = nsSSLIOLayerAddToSocket(family, host, port, proxyHost, proxyPort,
-                                        sock, info, forSTARTTLS, flags);
+                                        sock, info, forSTARTTLS, anonymousLoad);
   if (NS_FAILED(rv)) {
     PR_Close(sock);
     return rv;
   }
 
   *fd = sock;
   return NS_OK;
 }
@@ -2312,31 +2304,30 @@ done:
   if (mRV == SECFailure) {
     mErrorCodeToReport = error;
   }
 }
 
 static PRFileDesc*
 nsSSLIOLayerImportFD(PRFileDesc *fd,
                      nsNSSSocketInfo *infoObject,
-                     const char *host)
+                     const char *host,
+                     bool anonymousLoad)
 {
   nsNSSShutDownPreventionLock locker;
   PRFileDesc* sslSock = SSL_ImportFD(nullptr, fd);
   if (!sslSock) {
     NS_ASSERTION(false, "NSS: Error importing socket");
     return nullptr;
   }
   SSL_SetPKCS11PinArg(sslSock, (nsIInterfaceRequestor*)infoObject);
   SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject);
 
   // Disable this hook if we connect anonymously. See bug 466080.
-  uint32_t flags = 0;
-  infoObject->GetProviderFlags(&flags);
-  if (flags & nsISocketTransport::ANONYMOUS_CONNECT) {
+  if (anonymousLoad) {
       SSL_GetClientAuthDataHook(sslSock, nullptr, infoObject);
   } else {
       SSL_GetClientAuthDataHook(sslSock, 
                             (SSLGetClientAuthData)nsNSS_SSLGetClientAuthData,
                             infoObject);
   }
   if (SECSuccess != SSL_AuthCertificateHook(sslSock, AuthCertificateHook,
                                             infoObject)) {
@@ -2432,33 +2423,32 @@ nsresult
 nsSSLIOLayerAddToSocket(int32_t family,
                         const char* host,
                         int32_t port,
                         const char* proxyHost,
                         int32_t proxyPort,
                         PRFileDesc* fd,
                         nsISupports** info,
                         bool forSTARTTLS,
-                        uint32_t providerFlags)
+                        bool anonymousLoad)
 {
   nsNSSShutDownPreventionLock locker;
   PRFileDesc* layer = nullptr;
   nsresult rv;
   PRStatus stat;
 
-  nsNSSSocketInfo* infoObject = new nsNSSSocketInfo(providerFlags);
+  nsNSSSocketInfo* infoObject = new nsNSSSocketInfo();
   if (!infoObject) return NS_ERROR_FAILURE;
   
   NS_ADDREF(infoObject);
   infoObject->SetForSTARTTLS(forSTARTTLS);
   infoObject->SetHostName(host);
   infoObject->SetPort(port);
 
-  bool anonymousLoad = providerFlags & nsISocketProvider::ANONYMOUS_CONNECT;
-  PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host);
+  PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host, anonymousLoad);
   if (!sslSock) {
     NS_ASSERTION(false, "NSS: Error importing socket");
     goto loser;
   }
 
   infoObject->SetFileDescPtr(sslSock);
 
   rv = nsSSLIOLayerSetOptions(sslSock,
--- a/security/manager/ssl/src/nsNSSIOLayer.h
+++ b/security/manager/ssl/src/nsNSSIOLayer.h
@@ -8,24 +8,23 @@
 #define _NSNSSIOLAYER_H
 
 #include "TransportSecurityInfo.h"
 #include "nsISSLSocketControl.h"
 #include "nsIClientAuthDialogs.h"
 #include "nsNSSCertificate.h"
 #include "nsDataHashtable.h"
 #include "nsTHashtable.h"
-#include "nsISocketTransport.h"
 
 class nsNSSSocketInfo : public mozilla::psm::TransportSecurityInfo,
                         public nsISSLSocketControl,
                         public nsIClientAuthUserDecision
 {
 public:
-  nsNSSSocketInfo(uint32_t providerFlags);
+  nsNSSSocketInfo();
   
   NS_DECL_ISUPPORTS_INHERITED
   NS_DECL_NSISSLSOCKETCONTROL
   NS_DECL_NSICLIENTAUTHUSERDECISION
  
   nsresult SetForSTARTTLS(bool aForSTARTTLS);
   nsresult GetForSTARTTLS(bool *aForSTARTTLS);
 
@@ -68,17 +67,17 @@ public:
   void SetCertVerificationResult(PRErrorCode errorCode,
               ::mozilla::psm::SSLErrorMessageType errorMessageType);
   
   // for logging only
   PRBool IsWaitingForCertVerification() const
   {
     return mCertVerificationState == waiting_for_cert_verification;
   }
-
+  
   bool IsSSL3Enabled() const { return mSSL3Enabled; }
   void SetSSL3Enabled(bool enabled) { mSSL3Enabled = enabled; }
   bool IsTLSEnabled() const { return mTLSEnabled; }
   void SetTLSEnabled(bool enabled) { mTLSEnabled = enabled; }
 private:
   PRFileDesc* mFd;
 
   CertVerificationState mCertVerificationState;
@@ -96,18 +95,16 @@ private:
 
   nsresult ActivateSSL();
 
   nsCString mNegotiatedNPN;
   bool      mNPNCompleted;
   bool      mHandshakeCompleted;
   bool      mJoined;
   bool      mSentClientCert;
-
-  uint32_t mProviderFlags;
 };
 
 class nsSSLIOLayerHelpers
 {
 public:
   static nsresult Init();
   static void Cleanup();
 
@@ -144,24 +141,24 @@ public:
 nsresult nsSSLIOLayerNewSocket(int32_t family,
                                const char *host,
                                int32_t port,
                                const char *proxyHost,
                                int32_t proxyPort,
                                PRFileDesc **fd,
                                nsISupports **securityInfo,
                                bool forSTARTTLS,
-                               uint32_t flags);
+                               bool anonymousLoad);
 
 nsresult nsSSLIOLayerAddToSocket(int32_t family,
                                  const char *host,
                                  int32_t port,
                                  const char *proxyHost,
                                  int32_t proxyPort,
                                  PRFileDesc *fd,
                                  nsISupports **securityInfo,
                                  bool forSTARTTLS,
-                                 uint32_t flags);
+                                 bool anonymousLoad);
 
 nsresult nsSSLIOLayerFreeTLSIntolerantSites();
 nsresult displayUnknownCertErrorAlert(nsNSSSocketInfo *infoObject, int error);
 
 #endif /* _NSNSSIOLAYER_H */
--- a/security/manager/ssl/src/nsSSLSocketProvider.cpp
+++ b/security/manager/ssl/src/nsSSLSocketProvider.cpp
@@ -31,17 +31,17 @@ nsSSLSocketProvider::NewSocket(int32_t f
   nsresult rv = nsSSLIOLayerNewSocket(family,
                                       host,
                                       port,
                                       proxyHost,
                                       proxyPort,
                                       _result,
                                       securityInfo,
                                       false,
-                                      flags);
+                                      flags & ANONYMOUS_CONNECT);
   return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
 }
 
 // Add the SSL IO layer to an existing socket
 NS_IMETHODIMP
 nsSSLSocketProvider::AddToSocket(int32_t family,
                                  const char *host,
                                  int32_t port,
@@ -54,12 +54,12 @@ nsSSLSocketProvider::AddToSocket(int32_t
   nsresult rv = nsSSLIOLayerAddToSocket(family,
                                         host,
                                         port,
                                         proxyHost,
                                         proxyPort,
                                         aSocket,
                                         securityInfo,
                                         false,
-                                        flags);
+                                        flags & ANONYMOUS_CONNECT);
   
   return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
 }
--- a/security/manager/ssl/src/nsTLSSocketProvider.cpp
+++ b/security/manager/ssl/src/nsTLSSocketProvider.cpp
@@ -31,17 +31,17 @@ nsTLSSocketProvider::NewSocket(int32_t f
   nsresult rv = nsSSLIOLayerNewSocket(family,
                                       host,
                                       port,
                                       proxyHost,
                                       proxyPort,
                                       _result,
                                       securityInfo,
                                       true,
-                                      flags);
+                                      flags & ANONYMOUS_CONNECT);
   
   return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
 }
 
 // Add the SSL IO layer to an existing socket
 NS_IMETHODIMP
 nsTLSSocketProvider::AddToSocket(int32_t family,
                                  const char *host,
@@ -55,12 +55,12 @@ nsTLSSocketProvider::AddToSocket(int32_t
   nsresult rv = nsSSLIOLayerAddToSocket(family,
                                         host,
                                         port,
                                         proxyHost,
                                         proxyPort,
                                         aSocket,
                                         securityInfo,
                                         true,
-                                        flags);
+                                        flags & ANONYMOUS_CONNECT);
   
   return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
 }
--- a/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_stricttransportsecurity.html
+++ b/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_stricttransportsecurity.html
@@ -49,17 +49,17 @@
     // clean up the STS state
     netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
     const Cc = Components.classes;
     const Ci = Components.interfaces;
     var ios = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
     var thehost = ios.newURI("http://example.com", null, null);
 
     var stss = Cc["@mozilla.org/stsservice;1"].getService(Ci.nsIStrictTransportSecurityService);
-    stss.removeStsState(thehost, 0);
+    stss.removeStsState(thehost);
   }
 
   function loadVerifyFrames(round) {
     for (var test in testframes) {
       var frame = document.createElement("iframe");
       frame.setAttribute('id', 'ifr_' + test);
       frame.setAttribute('src', testframes[test].url + '?id=' + test);
       document.body.appendChild(frame);
--- a/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing.html
+++ b/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing.html
@@ -166,36 +166,26 @@
     netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
     const Cc = Components.classes;
     const Ci = Components.interfaces;
     var ios = Cc["@mozilla.org/network/io-service;1"]
                 .getService(Ci.nsIIOService);
     var thehost = ios.newURI("http://example.com", null, null);
     var stss = Cc["@mozilla.org/stsservice;1"]
                  .getService(Ci.nsIStrictTransportSecurityService);
-    var loadContext = window.QueryInterface(Ci.nsIInterfaceRequestor)
-                            .getInterface(Ci.nsIWebNavigation)
-                            .QueryInterface(Ci.nsILoadContext);
-    var flags = loadContext.usePrivateBrowsing ?
-      Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0
-    stss.removeStsState(thehost, flags);
+    stss.removeStsState(thehost);
     dump_STSState();
     SimpleTest.executeSoon(nextTest);
   }
 
 function dump_STSState() {
     netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
     var stss = Components.classes["@mozilla.org/stsservice;1"]
           .getService(Components.interfaces.nsIStrictTransportSecurityService);
-    var loadContext = window.QueryInterface(Components.interfaces.nsIInterfaceRequestor)
-                            .getInterface(Components.interfaces.nsIWebNavigation)
-                            .QueryInterface(Components.interfaces.nsILoadContext);
-    var flags = loadContext.usePrivateBrowsing ?
-      Components.interfaces.nsISocketProvider.NO_PERMANENT_STORAGE : 0
-    SimpleTest.info("State of example.com: " + stss.isStsHost("example.com", flags));
+    SimpleTest.info("State of example.com: " + stss.isStsHost("example.com"));
 }
 
   // these are executed in the order presented.
   // 0.  test that STS works before entering private browsing mode.
   //     (load sts-bootstrapped "plain" tests)
   //  ... clear any STS data ...
   var tests = [
     test_sts_before_private_mode,
--- a/security/manager/ssl/tests/unit/test_bug627234.js
+++ b/security/manager/ssl/tests/unit/test_bug627234.js
@@ -1,64 +1,75 @@
 var Cc = Components.classes;
 var Ci = Components.interfaces;
 
 Components.utils.import("resource://gre/modules/Services.jsm");
 
+var _PBSvc = null;
+function get_PBSvc() {
+  if (_PBSvc)
+    return _PBSvc;
+
+  try {
+    _PBSvc = Cc["@mozilla.org/privatebrowsing;1"]
+               .getService(Ci.nsIPrivateBrowsingService);
+    return _PBSvc;
+  } catch (e) {}
+  return null;
+}
+
 var gSTSService = Cc["@mozilla.org/stsservice;1"]
                   .getService(Ci.nsIStrictTransportSecurityService);
 
+function Observer() {}
+Observer.prototype = {
+  observe: function(subject, topic, data) {
+    do_execute_soon(gNextTest);
+  }
+};
+
+var gObserver = new Observer();
 var gNextTest = null;
 
 function cleanup() {
-  leavePB();
+  Services.obs.removeObserver(gObserver, "private-browsing-transition-complete");
+  get_PBSvc().privateBrowsingEnabled = false;
   // (we have to remove any state added to the sts service so as to not muck
   // with other tests).
   var uri = Services.io.newURI("http://localhost", null, null);
-  gSTSService.removeStsState(uri, privacyFlags());
+  gSTSService.removeStsState(uri);
 }
 
 function run_test() {
-  do_test_pending();
-  do_register_cleanup(cleanup);
-
-  gNextTest = test_part1;
-  enterPB();
-}
+  let pb = get_PBSvc();
+  if (pb) {
+    do_test_pending();
+    do_register_cleanup(cleanup);
 
-var gInPrivate = false;
-function enterPB() {
-  gInPrivate = true;
-  do_execute_soon(gNextTest);
-}
-
-function leavePB() {
-  gInPrivate = false;
-  Services.obs.notifyObservers(null, "last-pb-context-exited", null);
-  do_execute_soon(gNextTest);
-}
-
-function privacyFlags() {
-  return gInPrivate ? Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0;
+    gNextTest = test_part1;
+    Services.obs.addObserver(gObserver, "private-browsing-transition-complete", false);
+    Services.prefs.setBoolPref("browser.privatebrowsing.keep_current_session", true);
+    pb.privateBrowsingEnabled = true;
+  }
 }
 
 function test_part1() {
   var uri = Services.io.newURI("https://localhost/img.png", null, null);
-  gSTSService.processStsHeader(uri, "max-age=1000", privacyFlags());
-  do_check_true(gSTSService.isStsHost("localhost", privacyFlags()));
+  gSTSService.processStsHeader(uri, "max-age=1000");
+  do_check_true(gSTSService.isStsHost("localhost"));
   gNextTest = test_part2;
-  leavePB();
+  get_PBSvc().privateBrowsingEnabled = false;
 }
 
 function test_part2() {
   var uri = Services.io.newURI("https://localhost/img.png", null, null);
-  gSTSService.processStsHeader(uri, "max-age=1000", privacyFlags());
-  do_check_true(gSTSService.isStsHost("localhost", privacyFlags()));
+  gSTSService.processStsHeader(uri, "max-age=1000");
+  do_check_true(gSTSService.isStsHost("localhost"));
   gNextTest = test_part3;
-  enterPB();
+  get_PBSvc().privateBrowsingEnabled = true;
 }
 
 function test_part3() {
   var uri = Services.io.newURI("https://localhost/img.png", null, null);
-  gSTSService.processStsHeader(uri, "max-age=1000", privacyFlags());
-  do_check_true(gSTSService.isStsHost("localhost", privacyFlags()));
+  gSTSService.processStsHeader(uri, "max-age=1000");
+  do_check_true(gSTSService.isStsHost("localhost"));
   do_test_finished();
 }
--- a/security/manager/ssl/tests/unit/test_sts_preloadlist.js
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist.js
@@ -41,17 +41,17 @@ var hosts = ["http://keyerror.com", "htt
 
 function cleanup() {
   Services.obs.removeObserver(gObserver, "private-browsing-transition-complete");
   if (getPBSvc())
     getPBSvc().privateBrowsingEnabled = false;
 
   for (var host of hosts) {
     var uri = Services.io.newURI(host, null, null);
-    gSTSService.removeStsState(uri, 0);
+    gSTSService.removeStsState(uri);
   }
 }
 
 function run_test() {
   do_register_cleanup(cleanup);
   Services.obs.addObserver(gObserver, "private-browsing-transition-complete", false);
   Services.prefs.setBoolPref("browser.privatebrowsing.keep_current_session", true);
 
@@ -61,156 +61,154 @@ function run_test() {
     add_test(test_private_browsing2);
   }
 
   run_next_test();
 }
 
 function test_part1() {
   // check that a host not in the list is not identified as an sts host
-  do_check_false(gSTSService.isStsHost("nonexistent.mozilla.com", 0));
+  do_check_false(gSTSService.isStsHost("nonexistent.mozilla.com"));
 
   // check that an ancestor domain is not identified as an sts host
-  do_check_false(gSTSService.isStsHost("com", 0));
+  do_check_false(gSTSService.isStsHost("com"));
 
   // Note: the following were taken from the STS preload list
   // as of Sept. 2012. If the list changes, this test will need to be modified.
   // check that the pref to toggle using the preload list works
   Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", false);
-  do_check_false(gSTSService.isStsHost("factor.cc", 0));
+  do_check_false(gSTSService.isStsHost("factor.cc"));
   Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", true);
-  do_check_true(gSTSService.isStsHost("factor.cc", 0));
+  do_check_true(gSTSService.isStsHost("factor.cc"));
 
   // check that an entry at the beginning of the list is an sts host
-  do_check_true(gSTSService.isStsHost("arivo.com.br", 0));
+  do_check_true(gSTSService.isStsHost("arivo.com.br"));
 
   // check that a subdomain is an sts host (includeSubdomains is set)
-  do_check_true(gSTSService.isStsHost("subdomain.arivo.com.br", 0));
+  do_check_true(gSTSService.isStsHost("subdomain.arivo.com.br"));
 
   // check that another subdomain is an sts host (includeSubdomains is set)
-  do_check_true(gSTSService.isStsHost("a.b.c.subdomain.arivo.com.br", 0));
+  do_check_true(gSTSService.isStsHost("a.b.c.subdomain.arivo.com.br"));
 
   // check that an entry in the middle of the list is an sts host
-  do_check_true(gSTSService.isStsHost("neg9.org", 0));
+  do_check_true(gSTSService.isStsHost("neg9.org"));
 
   // check that a subdomain is not an sts host (includeSubdomains is not set)
-  do_check_false(gSTSService.isStsHost("subdomain.neg9.org", 0));
+  do_check_false(gSTSService.isStsHost("subdomain.neg9.org"));
 
   // check that an entry at the end of the list is an sts host
-  do_check_true(gSTSService.isStsHost("www.noisebridge.net", 0));
+  do_check_true(gSTSService.isStsHost("www.noisebridge.net"));
 
   // check that a subdomain is not an sts host (includeSubdomains is not set)
-  do_check_false(gSTSService.isStsHost("a.subdomain.www.noisebridge.net", 0));
+  do_check_false(gSTSService.isStsHost("a.subdomain.www.noisebridge.net"));
 
   // check that a host with a dot on the end won't break anything
-  do_check_false(gSTSService.isStsHost("notsts.nonexistent.mozilla.com.", 0));
+  do_check_false(gSTSService.isStsHost("notsts.nonexistent.mozilla.com."));
 
   // check that processing a header with max-age: 0 will remove a preloaded
   // site from the list
   var uri = Services.io.newURI("http://keyerror.com", null, null);
-  gSTSService.processStsHeader(uri, "max-age=0", 0);
-  do_check_false(gSTSService.isStsHost("keyerror.com", 0));
-  do_check_false(gSTSService.isStsHost("subdomain.keyerror.com", 0));
+  gSTSService.processStsHeader(uri, "max-age=0");
+  do_check_false(gSTSService.isStsHost("keyerror.com"));
+  do_check_false(gSTSService.isStsHost("subdomain.keyerror.com"));
   // check that processing another header (with max-age non-zero) will
   // re-enable a site's sts status
-  gSTSService.processStsHeader(uri, "max-age=1000", 0);
-  do_check_true(gSTSService.isStsHost("keyerror.com", 0));
+  gSTSService.processStsHeader(uri, "max-age=1000");
+  do_check_true(gSTSService.isStsHost("keyerror.com"));
   // but this time include subdomains was not set, so test for that
-  do_check_false(gSTSService.isStsHost("subdomain.keyerror.com", 0));
+  do_check_false(gSTSService.isStsHost("subdomain.keyerror.com"));
 
   // check that processing a header with max-age: 0 from a subdomain of a site
   // will not remove that (ancestor) site from the list
   var uri = Services.io.newURI("http://subdomain.intercom.io", null, null);
-  gSTSService.processStsHeader(uri, "max-age=0", 0);
-  do_check_true(gSTSService.isStsHost("intercom.io", 0));
-  do_check_false(gSTSService.isStsHost("subdomain.intercom.io", 0));
+  gSTSService.processStsHeader(uri, "max-age=0");
+  do_check_true(gSTSService.isStsHost("intercom.io"));
+  do_check_false(gSTSService.isStsHost("subdomain.intercom.io"));
 
   var uri = Services.io.newURI("http://subdomain.pixi.me", null, null);
-  gSTSService.processStsHeader(uri, "max-age=0", 0);
+  gSTSService.processStsHeader(uri, "max-age=0");
   // we received a header with "max-age=0", so we have "no information"
   // regarding the sts state of subdomain.pixi.me specifically, but
   // it is actually still an STS host, because of the preloaded pixi.me
   // including subdomains.
   // Here's a drawing:
   // |-- pixi.me (in preload list, includes subdomains)      IS sts host
   //     |-- subdomain.pixi.me                               IS sts host
   //     |   `-- another.subdomain.pixi.me                   IS sts host
   //     `-- sibling.pixi.me                                 IS sts host
-  do_check_true(gSTSService.isStsHost("subdomain.pixi.me", 0));
-  do_check_true(gSTSService.isStsHost("sibling.pixi.me", 0));
-  do_check_true(gSTSService.isStsHost("another.subdomain.pixi.me", 0));
+  do_check_true(gSTSService.isStsHost("subdomain.pixi.me"));
+  do_check_true(gSTSService.isStsHost("sibling.pixi.me"));
+  do_check_true(gSTSService.isStsHost("another.subdomain.pixi.me"));
 
-  gSTSService.processStsHeader(uri, "max-age=1000", 0);
+  gSTSService.processStsHeader(uri, "max-age=1000");
   // Here's what we have now:
   // |-- pixi.me (in preload list, includes subdomains)      IS sts host
   //     |-- subdomain.pixi.me (include subdomains is false) IS sts host
   //     |   `-- another.subdomain.pixi.me                   IS NOT sts host
   //     `-- sibling.pixi.me                                 IS sts host
-  do_check_true(gSTSService.isStsHost("subdomain.pixi.me", 0));
-  do_check_true(gSTSService.isStsHost("sibling.pixi.me", 0));
-  do_check_false(gSTSService.isStsHost("another.subdomain.pixi.me", 0));
+  do_check_true(gSTSService.isStsHost("subdomain.pixi.me"));
+  do_check_true(gSTSService.isStsHost("sibling.pixi.me"));
+  do_check_false(gSTSService.isStsHost("another.subdomain.pixi.me"));
 
   // Test private browsing correctly interacts with removing preloaded sites.
   // If we don't have the private browsing service, don't run those tests
   // (which means we have to manually call run_next_test() instead of relying
   // on our observer to call it).
   if (getPBSvc()) {
     getPBSvc().privateBrowsingEnabled = true;
   } else {
     run_next_test();
   }
 }
 
-const IS_PRIVATE = Ci.nsISocketProvider.NO_PERMANENT_STORAGE;
-
 function test_private_browsing1() {
   // sanity - crypto.cat is preloaded, includeSubdomains set
-  do_check_true(gSTSService.isStsHost("crypto.cat", IS_PRIVATE));
-  do_check_true(gSTSService.isStsHost("a.b.c.subdomain.crypto.cat", IS_PRIVATE));
+  do_check_true(gSTSService.isStsHost("crypto.cat"));
+  do_check_true(gSTSService.isStsHost("a.b.c.subdomain.crypto.cat"));
 
   var uri = Services.io.newURI("http://crypto.cat", null, null);
-  gSTSService.processStsHeader(uri, "max-age=0", IS_PRIVATE);
-  do_check_false(gSTSService.isStsHost("crypto.cat", IS_PRIVATE));
-  do_check_false(gSTSService.isStsHost("a.b.subdomain.crypto.cat", IS_PRIVATE));
+  gSTSService.processStsHeader(uri, "max-age=0");
+  do_check_false(gSTSService.isStsHost("crypto.cat"));
+  do_check_false(gSTSService.isStsHost("a.b.subdomain.crypto.cat"));
 
   // check adding it back in
-  gSTSService.processStsHeader(uri, "max-age=1000", IS_PRIVATE);
-  do_check_true(gSTSService.isStsHost("crypto.cat", IS_PRIVATE));
+  gSTSService.processStsHeader(uri, "max-age=1000");
+  do_check_true(gSTSService.isStsHost("crypto.cat"));
   // but no includeSubdomains this time
-  do_check_false(gSTSService.isStsHost("b.subdomain.crypto.cat", IS_PRIVATE));
+  do_check_false(gSTSService.isStsHost("b.subdomain.crypto.cat"));
 
   // do the hokey-pokey...
-  gSTSService.processStsHeader(uri, "max-age=0", IS_PRIVATE);
-  do_check_false(gSTSService.isStsHost("crypto.cat", IS_PRIVATE));
-  do_check_false(gSTSService.isStsHost("subdomain.crypto.cat", IS_PRIVATE));
+  gSTSService.processStsHeader(uri, "max-age=0");
+  do_check_false(gSTSService.isStsHost("crypto.cat"));
+  do_check_false(gSTSService.isStsHost("subdomain.crypto.cat"));
 
   // TODO unfortunately we don't have a good way to know when an entry
   // has expired in the permission manager, so we can't yet extend this test
   // to that case.
   // Test that an expired private browsing entry results in correctly
   // identifying a host that is on the preload list as no longer sts.
   // (This happens when we're in private browsing mode, we get a header from
   // a site on the preload list, and that header later expires. We need to
   // then treat that host as no longer an sts host.)
   // (sanity check first - this should be in the preload list)
-  do_check_true(gSTSService.isStsHost("logentries.com", IS_PRIVATE));
+  do_check_true(gSTSService.isStsHost("logentries.com"));
   var uri = Services.io.newURI("http://logentries.com", null, null);
   // according to the rfc, max-age can't be negative, but this is a great
   // way to test an expired entry
-  gSTSService.processStsHeader(uri, "max-age=-1000", IS_PRIVATE);
-  do_check_false(gSTSService.isStsHost("logentries.com", IS_PRIVATE));
+  gSTSService.processStsHeader(uri, "max-age=-1000");
+  do_check_false(gSTSService.isStsHost("logentries.com"));
 
   // if this test gets this far, it means there's a private browsing service
   getPBSvc().privateBrowsingEnabled = false;
 }
 
 function test_private_browsing2() {
   // if this test gets this far, it means there's a private browsing service
-  do_check_true(gSTSService.isStsHost("crypto.cat", 0));
+  do_check_true(gSTSService.isStsHost("crypto.cat"));
   // the crypto.cat entry has includeSubdomains set
-  do_check_true(gSTSService.isStsHost("subdomain.crypto.cat", 0));
+  do_check_true(gSTSService.isStsHost("subdomain.crypto.cat"));
 
   // Now that we're out of private browsing mode, we need to make sure
   // we've "forgotten" that we "forgot" this site's sts status.
-  do_check_true(gSTSService.isStsHost("logentries.com", 0));
+  do_check_true(gSTSService.isStsHost("logentries.com"));
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
@@ -4,21 +4,21 @@ var Cu = Components.utils;
 
 Cu.import("resource://gre/modules/Services.jsm");
 
 function run_test() {
   let STSService = Cc["@mozilla.org/stsservice;1"]
                      .getService(Ci.nsIStrictTransportSecurityService);
 
   // check that a host on the preload list is identified as an sts host
-  do_check_true(STSService.isStsHost("alpha.irccloud.com", 0));
+  do_check_true(STSService.isStsHost("alpha.irccloud.com"));
 
   // now simulate that it's 19 weeks later than it actually is
   let offsetSeconds = 19 * 7 * 24 * 60 * 60;
   Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
 
   // check that the preloaded host is no longer considered sts
-  do_check_false(STSService.isStsHost("alpha.irccloud.com", 0));
+  do_check_false(STSService.isStsHost("alpha.irccloud.com"));
 
   // just make sure we can get everything back to normal
   Services.prefs.clearUserPref("test.currentTimeOffsetSeconds");
-  do_check_true(STSService.isStsHost("alpha.irccloud.com", 0));
+  do_check_true(STSService.isStsHost("alpha.irccloud.com"));
 }