Bug 1475647 - Remove nsISSLStatusProvider interface. r=baku,Gijs,jchen,jryans,keeler,mcmanus
☠☠ backed out by 87c7f405385f ☠ ☠
authorDipen Patel <bugzilla@pansara.org>
Fri, 13 Jul 2018 11:48:55 -0700
changeset 427855 d126a6593e8f3db13211170a90c11dd69763fc70
parent 427854 873b3e2c3d2b1c619a839ce64635fc1daec53d0a
child 427856 9a6e53d96b83b4c44eeb21f823121a532fc2e5b0
push id34319
push userrgurzau@mozilla.com
push dateTue, 24 Jul 2018 09:45:21 +0000
treeherdermozilla-central@cfb544de8a72 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbaku, Gijs, jchen, jryans, keeler, mcmanus
bugs1475647
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1475647 - Remove nsISSLStatusProvider interface. r=baku,Gijs,jchen,jryans,keeler,mcmanus - Access nsISSLStatus directly as a member of nsITransportSecurityInfo and nsISecureBrowserUI. This is part of a larger effort to consolidate nsISSLStatus and nsITransportSecurityInfo. - The TabParent implementation of GetSecInfo will always return null. - Removed unnecessary QueryInterface calls - Style adherence updates MozReview-Commit-ID: Dzy6t2zYljL
browser/base/content/browser-siteIdentity.js
browser/base/content/browser.js
browser/base/content/pageinfo/security.js
devtools/shared/security/auth.js
devtools/shared/security/socket.js
devtools/shared/webconsole/network-helper.js
devtools/shared/webconsole/test/unit/test_security-info-parser.js
devtools/shared/webconsole/test/unit/test_security-info-state.js
devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js
dom/ipc/TabParent.cpp
mobile/android/chrome/content/browser.js
mobile/android/chrome/content/content.js
mobile/android/modules/geckoview/GeckoViewProgress.jsm
netwerk/base/nsISecureBrowserUI.idl
netwerk/protocol/http/AlternateServices.cpp
netwerk/protocol/http/Http2Session.cpp
netwerk/protocol/http/nsHttpChannel.cpp
netwerk/protocol/http/nsHttpNTLMAuth.cpp
netwerk/socket/nsITransportSecurityInfo.idl
security/manager/pki/resources/content/exceptionDialog.js
security/manager/ssl/TransportSecurityInfo.cpp
security/manager/ssl/TransportSecurityInfo.h
security/manager/ssl/moz.build
security/manager/ssl/nsISSLStatusProvider.idl
security/manager/ssl/nsSecureBrowserUIImpl.cpp
security/manager/ssl/nsSecureBrowserUIImpl.h
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
security/manager/ssl/tests/unit/test_ct.js
security/manager/ssl/tests/unit/test_session_resumption.js
security/manager/ssl/tests/unit/test_ssl_status.js
security/manager/tools/getHSTSPreloadList.js
testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py
toolkit/content/browser-child.js
toolkit/modules/CertUtils.jsm
toolkit/modules/RemoteSecurityUI.jsm
toolkit/modules/RemoteWebProgress.jsm
toolkit/modules/addons/SecurityInfo.jsm
toolkit/modules/tests/chrome/test_bug544442_checkCert.xul
toolkit/mozapps/update/nsUpdateService.js
--- a/browser/base/content/browser-siteIdentity.js
+++ b/browser/base/content/browser-siteIdentity.js
@@ -342,22 +342,18 @@ var gIdentityHandler = {
    */
   updateIdentity(state, uri) {
     let shouldHidePopup = this._uri && (this._uri.spec != uri.spec);
     this._state = state;
 
     // Firstly, populate the state properties required to display the UI. See
     // the documentation of the individual properties for details.
     this.setURI(uri);
-    this._sslStatus = gBrowser.securityUI
-                              .QueryInterface(Ci.nsISSLStatusProvider)
-                              .SSLStatus;
-    if (this._sslStatus) {
-      this._sslStatus.QueryInterface(Ci.nsISSLStatus);
-    }
+    this._sslStatus = gBrowser.securityUI.secInfo &&
+                      gBrowser.securityUI.secInfo.SSLStatus;
 
     // Then, update the user interface with the available data.
     this.refreshIdentityBlock();
     // Handle a location change while the Control Center is focused
     // by closing the popup (bug 1207542)
     if (shouldHidePopup) {
       PanelMultiView.hidePopup(this._identityPopup);
     }
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -2991,18 +2991,17 @@ var BrowserOnClick = {
 
     switch (elementId) {
       case "exceptionDialogButton":
         if (isTopFrame) {
           secHistogram.add(Ci.nsISecurityUITelemetry.WARNING_BAD_CERT_TOP_CLICK_ADD_EXCEPTION);
         }
 
         securityInfo = getSecurityInfo(securityInfoAsString);
-        sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                                .SSLStatus;
+        sslStatus = securityInfo.SSLStatus;
         let params = { exceptionAdded: false,
                        sslStatus };
 
         try {
           switch (Services.prefs.getIntPref("browser.ssl_override_behavior")) {
             case 2 : // Pre-fetch & pre-populate
               params.prefetchCert = true;
             case 1 : // Pre-populate
@@ -3033,18 +3032,17 @@ var BrowserOnClick = {
         break;
 
       case "advancedButton":
         if (isTopFrame) {
           secHistogram.add(Ci.nsISecurityUITelemetry.WARNING_BAD_CERT_TOP_UNDERSTAND_RISKS);
         }
 
         securityInfo = getSecurityInfo(securityInfoAsString);
-        sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                                .SSLStatus;
+        sslStatus = securityInfo.SSLStatus;
         let errorInfo = getDetailedCertErrorInfo(location,
                                                  securityInfo);
         let validityInfo = {
           notAfter: sslStatus.serverCert.validity.notAfter,
           notBefore: sslStatus.serverCert.validity.notBefore,
           notAfterLocalTime: sslStatus.serverCert.validity.notAfterLocalTime,
           notBeforeLocalTime: sslStatus.serverCert.validity.notBeforeLocalTime,
         };
--- a/browser/base/content/pageinfo/security.js
+++ b/browser/base/content/pageinfo/security.js
@@ -22,17 +22,16 @@ var security = {
 
   // Display the server certificate (static)
   viewCert() {
     var cert = security._cert;
     viewCertHelper(window, cert);
   },
 
   _getSecurityInfo() {
-    const nsISSLStatusProvider = Ci.nsISSLStatusProvider;
     const nsISSLStatus = Ci.nsISSLStatus;
 
     // We don't have separate info for a frame, return null until further notice
     // (see bug 138479)
     if (!this.windowInfo.isTopWindow)
       return null;
 
     var hostName = this.windowInfo.hostName;
@@ -45,21 +44,19 @@ var security = {
       (ui.state & Ci.nsIWebProgressListener.STATE_IS_BROKEN);
     var isMixed =
       (ui.state & (Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT |
                    Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT));
     var isInsecure =
       (ui.state & Ci.nsIWebProgressListener.STATE_IS_INSECURE);
     var isEV =
       (ui.state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL);
-    ui.QueryInterface(nsISSLStatusProvider);
-    var status = ui.SSLStatus;
+    var status = ui.secInfo && ui.secInfo.SSLStatus;
 
     if (!isInsecure && status) {
-      status.QueryInterface(nsISSLStatus);
       var cert = status.serverCert;
       var issuerName = cert.issuerOrganization || cert.issuerName;
 
       var retval = {
         hostName,
         cAName: issuerName,
         encryptionAlgorithm: undefined,
         encryptionStrength: undefined,
--- a/devtools/shared/security/auth.js
+++ b/devtools/shared/security/auth.js
@@ -295,17 +295,17 @@ OOBCert.Client.prototype = {
    *         Whether the connection is valid.
    */
   // eslint-disable-next-line no-shadow
   validateConnection({ cert, socket }) {
     // Step B.7
     // Client verifies that Server's cert matches hash(ServerCert) from the
     // advertisement
     dumpv("Validate server cert hash");
-    const serverCert = socket.securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+    const serverCert = socket.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
                            .SSLStatus.serverCert;
     const advertisedCert = cert;
     if (serverCert.sha256Fingerprint != advertisedCert.sha256) {
       dumpn("Server cert hash doesn't match advertisement");
       return false;
     }
     return true;
   },
--- a/devtools/shared/security/socket.js
+++ b/devtools/shared/security/socket.js
@@ -348,17 +348,17 @@ function _isInputAlive(input) {
 
 /**
  * To allow the connection to proceed with self-signed cert, we store a cert
  * override.  This implies that we take on the burden of authentication for
  * these connections.
  */
 function _storeCertOverride(s, host, port) {
   // eslint-disable-next-line no-shadow
-  const cert = s.securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+  const cert = s.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
               .SSLStatus.serverCert;
   const overrideBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                      Ci.nsICertOverrideService.ERROR_MISMATCH;
   certOverrideService.rememberValidityOverride(host, port, cert, overrideBits,
                                                true /* temporary */);
 }
 
 /**
--- a/devtools/shared/webconsole/network-helper.js
+++ b/devtools/shared/webconsole/network-helper.js
@@ -595,17 +595,16 @@ var NetworkHelper = {
      * - request is mixed content (which makes no sense whatsoever)
      *   => .securityState has STATE_IS_BROKEN flag
      *   => .errorCode is NOT an NSS error code
      *   => .errorMessage is not available
      *      => state === "weak"
      */
 
     securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
-    securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
 
     const wpl = Ci.nsIWebProgressListener;
     const NSSErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
                                .getService(Ci.nsINSSErrorsService);
     const SSLStatus = securityInfo.SSLStatus;
     if (!NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) {
       const state = securityInfo.securityState;
 
--- a/devtools/shared/webconsole/test/unit/test_security-info-parser.js
+++ b/devtools/shared/webconsole/test/unit/test_security-info-parser.js
@@ -28,18 +28,17 @@ const MockCertificate = {
   sha1Fingerprint: "qwertyuiop",
   validity: {
     notBeforeLocalDay: "yesterday",
     notAfterLocalDay: "tomorrow",
   }
 };
 
 const MockSecurityInfo = {
-  QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo,
-                                          Ci.nsISSLStatusProvider]),
+  QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
   securityState: wpl.STATE_IS_SECURE,
   errorCode: 0,
   SSLStatus: {
     cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
     // TLS_VERSION_1_2
     protocolVersion: 3,
     serverCert: MockCertificate,
   }
--- a/devtools/shared/webconsole/test/unit/test_security-info-state.js
+++ b/devtools/shared/webconsole/test/unit/test_security-info-state.js
@@ -14,18 +14,17 @@ Object.defineProperty(this, "NetworkHelp
   },
   configurable: true,
   writeable: false,
   enumerable: true
 });
 
 const wpl = Ci.nsIWebProgressListener;
 const MockSecurityInfo = {
-  QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo,
-                                          Ci.nsISSLStatusProvider]),
+  QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
   securityState: wpl.STATE_IS_BROKEN,
   errorCode: 0,
   SSLStatus: {
     // nsISSLStatus.TLS_VERSION_1_2
     protocolVersion: 3,
     cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
   }
 };
--- a/devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js
+++ b/devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js
@@ -15,18 +15,17 @@ Object.defineProperty(this, "NetworkHelp
   configurable: true,
   writeable: false,
   enumerable: true
 });
 
 const wpl = Ci.nsIWebProgressListener;
 
 const MockSecurityInfo = {
-  QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo,
-                                          Ci.nsISSLStatusProvider]),
+  QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
   securityState: wpl.STATE_IS_SECURE,
   errorCode: 0,
   SSLStatus: {
     cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
     // TLS_VERSION_1_2
     protocolVersion: 3,
     serverCert: {
       validity: {}
--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@@ -54,16 +54,17 @@
 #include "nsIContent.h"
 #include "nsIDocShell.h"
 #include "nsIDocShellTreeOwner.h"
 #include "nsIDOMWindow.h"
 #include "nsIDOMWindowUtils.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsILoadInfo.h"
 #include "nsIPromptFactory.h"
+#include "nsITransportSecurityInfo.h"
 #include "nsIURI.h"
 #include "nsIWindowWatcher.h"
 #include "nsIWebBrowserChrome.h"
 #include "nsIXULBrowserWindow.h"
 #include "nsIXULWindow.h"
 #include "nsIRemoteBrowser.h"
 #include "nsViewManager.h"
 #include "nsVariant.h"
@@ -886,16 +887,25 @@ TabParent::GetState(uint32_t *aState)
 {
   NS_ENSURE_ARG(aState);
   NS_WARNING("SecurityState not valid here");
   *aState = 0;
   return NS_OK;
 }
 
 NS_IMETHODIMP
+TabParent::GetSecInfo(nsITransportSecurityInfo** _result)
+{
+  NS_ENSURE_ARG_POINTER(_result);
+  NS_WARNING("TransportSecurityInfo not valid here");
+  *_result = nullptr;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
 TabParent::SetDocShell(nsIDocShell *aDocShell)
 {
   NS_ENSURE_ARG(aDocShell);
   NS_WARNING("No mDocShell member in TabParent so there is no docShell to set");
   return NS_OK;
 }
 
   a11y::PDocAccessibleParent*
--- a/mobile/android/chrome/content/browser.js
+++ b/mobile/android/chrome/content/browser.js
@@ -5683,19 +5683,18 @@ var IdentityHandler = {
     Telemetry.addData("TRACKING_PROTECTION_SHIELD", value);
   },
 
   /**
    * Determine the identity of the page being displayed by examining its SSL cert
    * (if available). Return the data needed to update the UI.
    */
   checkIdentity: function checkIdentity(aState, aBrowser) {
-    this._lastStatus = aBrowser.securityUI
-                               .QueryInterface(Ci.nsISSLStatusProvider)
-                               .SSLStatus;
+    this._lastStatus = aBrowser.securityUI.secInfo &&
+                       aBrowser.securityUI.secInfo.SSLStatus;
 
     // Don't pass in the actual location object, since it can cause us to
     // hold on to the window object too long.  Just pass in the fields we
     // care about. (bug 424829)
     let locationObj = {};
     try {
       let location = aBrowser.contentWindow.location;
       locationObj.host = location.host;
--- a/mobile/android/chrome/content/content.js
+++ b/mobile/android/chrome/content/content.js
@@ -355,18 +355,17 @@ var AboutCertErrorListener = {
     if (aEvent.type != "AboutCertErrorLoad") {
       return;
     }
 
     let ownerDoc = aEvent.originalTarget.ownerGlobal;
     let securityInfo = docShell.failedChannel && docShell.failedChannel.securityInfo;
     securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
                 .QueryInterface(Ci.nsISerializable);
-    let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                                                .SSLStatus;
+    let sslStatus = securityInfo.SSLStatus;
     this._setTechDetails(sslStatus, securityInfo, ownerDoc.location.href);
   },
 };
 AboutCertErrorListener.init();
 
 // This is copied from desktop's tab-content.js. See bug 1153485 about sharing this code somehow.
 var AboutReaderListener = {
 
--- a/mobile/android/modules/geckoview/GeckoViewProgress.jsm
+++ b/mobile/android/modules/geckoview/GeckoViewProgress.jsm
@@ -154,18 +154,17 @@ var IdentityHandler = {
     } catch (e) {}
 
     try {
       result.host = IDNService.convertToDisplayIDN(uri.host, {});
     } catch (e) {
       result.host = uri.host;
     }
 
-    let status = aBrowser.securityUI.QueryInterface(Ci.nsISSLStatusProvider)
-                         .SSLStatus.QueryInterface(Ci.nsISSLStatus);
+    let status = aBrowser.securityUI.secInfo.SSLStatus;
     let cert = status.serverCert;
 
     result.organization = cert.organization;
     result.subjectName = cert.subjectName;
     result.issuerOrganization = cert.issuerOrganization;
     result.issuerCommonName = cert.issuerCommonName;
 
     try {
--- a/netwerk/base/nsISecureBrowserUI.idl
+++ b/netwerk/base/nsISecureBrowserUI.idl
@@ -3,21 +3,23 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 interface mozIDOMWindowProxy;
 interface nsIDocShell;
+interface nsITransportSecurityInfo;
 
 [scriptable, uuid(718c662a-f810-4a80-a6c9-0b1810ecade2)]
 interface nsISecureBrowserUI : nsISupports
 {
     void init(in mozIDOMWindowProxy window);
     void setDocShell(in nsIDocShell docShell);
 
     readonly attribute unsigned long state;
+    readonly attribute nsITransportSecurityInfo secInfo;
 };
 
 %{C++
 #define NS_SECURE_BROWSER_UI_CONTRACTID "@mozilla.org/secure_browser_ui;1"
 %}
--- a/netwerk/protocol/http/AlternateServices.cpp
+++ b/netwerk/protocol/http/AlternateServices.cpp
@@ -10,18 +10,16 @@
 #include "LoadInfo.h"
 #include "nsEscape.h"
 #include "nsHttpConnectionInfo.h"
 #include "nsHttpChannel.h"
 #include "nsHttpHandler.h"
 #include "nsThreadUtils.h"
 #include "nsHttpTransaction.h"
 #include "NullHttpTransaction.h"
-#include "nsISSLStatusProvider.h"
-#include "nsISSLStatus.h"
 #include "nsISSLSocketControl.h"
 #include "nsIWellKnownOpportunisticUtils.h"
 
 /* RFC 7838 Alternative Services
    http://httpwg.org/http-extensions/opsec.html
     note that connections currently do not do mixed-scheme (the I attribute
     in the ConnectionInfo prevents it) but could, do not honor tls-commit and should
     not, and always require authentication
--- a/netwerk/protocol/http/Http2Session.cpp
+++ b/netwerk/protocol/http/Http2Session.cpp
@@ -22,18 +22,16 @@
 #include "mozilla/EndianUtils.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/Preferences.h"
 #include "nsHttp.h"
 #include "nsHttpHandler.h"
 #include "nsHttpConnection.h"
 #include "nsIRequestContext.h"
 #include "nsISSLSocketControl.h"
-#include "nsISSLStatus.h"
-#include "nsISSLStatusProvider.h"
 #include "nsISupportsPriority.h"
 #include "nsStandardURL.h"
 #include "nsURLHelper.h"
 #include "prnetdb.h"
 #include "sslt.h"
 #include "mozilla/Sprintf.h"
 #include "nsSocketTransportService2.h"
 #include "nsNetUtil.h"
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -64,17 +64,16 @@
 #include "nsContentUtils.h"
 #include "nsContentSecurityManager.h"
 #include "nsIClassOfService.h"
 #include "nsIPermissionManager.h"
 #include "nsIPrincipal.h"
 #include "nsIScriptError.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsISSLStatus.h"
-#include "nsISSLStatusProvider.h"
 #include "nsITransportSecurityInfo.h"
 #include "nsIWebProgressListener.h"
 #include "LoadContextInfo.h"
 #include "netCore.h"
 #include "nsHttpTransaction.h"
 #include "nsICacheEntryDescriptor.h"
 #include "nsICancelable.h"
 #include "nsIHttpChannelAuthProvider.h"
@@ -1852,21 +1851,21 @@ nsHttpChannel::ProcessSecurityHeaders()
     // mSecurityInfo may not always be present, and if it's not then it is okay
     // to just disregard any security headers since we know nothing about the
     // security of the connection.
     NS_ENSURE_TRUE(mSecurityInfo, NS_OK);
 
     uint32_t flags =
       NS_UsePrivateBrowsing(this) ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
 
-    // Get the SSLStatus
-    nsCOMPtr<nsISSLStatusProvider> sslprov = do_QueryInterface(mSecurityInfo);
-    NS_ENSURE_TRUE(sslprov, NS_ERROR_FAILURE);
+    // Get the TransportSecurityInfo
+    nsCOMPtr<nsITransportSecurityInfo> transSecInfo = do_QueryInterface(mSecurityInfo);
+    NS_ENSURE_TRUE(transSecInfo, NS_ERROR_FAILURE);
     nsCOMPtr<nsISSLStatus> sslStatus;
-    rv = sslprov->GetSSLStatus(getter_AddRefs(sslStatus));
+    rv = transSecInfo->GetSSLStatus(getter_AddRefs(sslStatus));
     NS_ENSURE_SUCCESS(rv, rv);
     NS_ENSURE_TRUE(sslStatus, NS_ERROR_FAILURE);
 
     rv = ProcessSingleSecurityHeader(nsISiteSecurityService::HEADER_HSTS,
                                      sslStatus, flags);
     NS_ENSURE_SUCCESS(rv, rv);
 
     rv = ProcessSingleSecurityHeader(nsISiteSecurityService::HEADER_HPKP,
@@ -1987,27 +1986,25 @@ nsHttpChannel::ProcessSSLInformation()
     // If this is HTTPS, record any use of RSA so that Key Exchange Algorithm
     // can be whitelisted for TLS False Start in future sessions. We could
     // do the same for DH but its rarity doesn't justify the lookup.
 
     if (mCanceled || NS_FAILED(mStatus) || !mSecurityInfo ||
         !IsHTTPS() || mPrivateBrowsing)
         return;
 
-    nsCOMPtr<nsISSLStatusProvider> statusProvider =
+    nsCOMPtr<nsITransportSecurityInfo> securityInfo =
         do_QueryInterface(mSecurityInfo);
-    if (!statusProvider)
+    if (!securityInfo)
         return;
     nsCOMPtr<nsISSLStatus> sslstat;
-    statusProvider->GetSSLStatus(getter_AddRefs(sslstat));
+    securityInfo->GetSSLStatus(getter_AddRefs(sslstat));
     if (!sslstat)
         return;
 
-    nsCOMPtr<nsITransportSecurityInfo> securityInfo =
-        do_QueryInterface(mSecurityInfo);
     uint32_t state;
     if (securityInfo &&
         NS_SUCCEEDED(securityInfo->GetSecurityState(&state)) &&
         (state & nsIWebProgressListener::STATE_IS_BROKEN)) {
         // Send weak crypto warnings to the web console
         if (state & nsIWebProgressListener::STATE_USES_WEAK_CRYPTO) {
             nsString consoleErrorTag = NS_LITERAL_STRING("WeakCipherSuiteWarning");
             nsString consoleErrorCategory = NS_LITERAL_STRING("SSL");
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -19,17 +19,16 @@
 #include "nsIPrefBranch.h"
 #include "nsIPrefService.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIURI.h"
 #ifdef XP_WIN
 #include "nsIChannel.h"
 #include "nsIX509Cert.h"
 #include "nsISSLStatus.h"
-#include "nsISSLStatusProvider.h"
 #endif
 #include "mozilla/Attributes.h"
 #include "mozilla/Base64.h"
 #include "mozilla/CheckedInt.h"
 #include "mozilla/Tokenizer.h"
 #include "mozilla/UniquePtr.h"
 #include "mozilla/Unused.h"
 #include "nsNetUtil.h"
@@ -330,22 +329,22 @@ nsHttpNTLMAuth::GenerateCredentials(nsIH
         if (NS_FAILED(rv))
             return rv;
 
         nsCOMPtr<nsISupports> security;
         rv = channel->GetSecurityInfo(getter_AddRefs(security));
         if (NS_FAILED(rv))
             return rv;
 
-        nsCOMPtr<nsISSLStatusProvider> statusProvider =
+        nsCOMPtr<nsITransportSecurityInfo> secInfo =
             do_QueryInterface(security);
 
-        if (mUseNative && statusProvider) {
+        if (mUseNative && secInfo) {
             nsCOMPtr<nsISSLStatus> status;
-            rv = statusProvider->GetSSLStatus(getter_AddRefs(status));
+            rv = secInfo->GetSSLStatus(getter_AddRefs(status));
             if (NS_FAILED(rv))
                 return rv;
 
             nsCOMPtr<nsIX509Cert> cert;
             rv = status->GetServerCert(getter_AddRefs(cert));
             if (NS_FAILED(rv))
                 return rv;
 
--- a/netwerk/socket/nsITransportSecurityInfo.idl
+++ b/netwerk/socket/nsITransportSecurityInfo.idl
@@ -1,25 +1,28 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
+interface nsISSLStatus;
 interface nsIX509CertList;
 
 [builtinclass, scriptable, uuid(216112d3-28bc-4671-b057-f98cc09ba1ea)]
 interface nsITransportSecurityInfo : nsISupports {
     readonly attribute unsigned long securityState;
     [infallible] readonly attribute long errorCode; // PRErrorCode
     // errorCode as string (e.g. "SEC_ERROR_UNKNOWN_ISSUER")
     readonly attribute AString errorCodeString;
 
     /**
      * If certificate verification failed, this will be the peer certificate
      * chain provided in the handshake, so it can be used for error reporting.
      * If verification succeeded, this will be null.
      */
     readonly attribute nsIX509CertList failedCertChain;
+
+    readonly attribute nsISSLStatus SSLStatus;
 };
 
--- a/security/manager/pki/resources/content/exceptionDialog.js
+++ b/security/manager/pki/resources/content/exceptionDialog.js
@@ -21,17 +21,19 @@ function initExceptionDialog() {
   gNeedReset = false;
   gDialog = document.documentElement;
   gBundleBrand = document.getElementById("brand_bundle");
   gPKIBundle = document.getElementById("pippki_bundle");
   gSecHistogram = Services.telemetry.getHistogramById("SECURITY_UI");
   gNsISecTel = Ci.nsISecurityUITelemetry;
 
   var brandName = gBundleBrand.getString("brandShortName");
-  setText("warningText", gPKIBundle.getFormattedString("addExceptionBrandedWarning2", [brandName]));
+  setText("warningText",
+          gPKIBundle.getFormattedString("addExceptionBrandedWarning2",
+                                        [brandName]));
   gDialog.getButton("extra1").disabled = true;
 
   var args = window.arguments;
   if (args && args[0]) {
     if (args[0].location) {
       // We were pre-seeded with a location.
       document.getElementById("locationTextBox").value = args[0].location;
       document.getElementById("checkCertButton").disabled = false;
@@ -70,17 +72,17 @@ function initExceptionDialog() {
  * @param {XMLHttpRequest} req
  *        The XMLHttpRequest created and sent by checkCert.
  * @param {Event} evt
  *        The load or error event.
  */
 function grabCert(req, evt) {
   if (req.channel && req.channel.securityInfo) {
     gSSLStatus = req.channel.securityInfo
-                    .QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+                    .QueryInterface(Ci.nsITransportSecurityInfo).SSLStatus;
     gCert = gSSLStatus ? gSSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert
                        : null;
   }
   gBroken = evt.type == "error";
   gChecking = false;
   updateCertStatus();
 }
 
@@ -154,17 +156,18 @@ function resetDialog() {
   window.sizeToContent();
 }
 
 /**
  * Called by input textboxes to manage UI state
  */
 function handleTextChange() {
   var checkCertButton = document.getElementById("checkCertButton");
-  checkCertButton.disabled = !(document.getElementById("locationTextBox").value);
+  checkCertButton.disabled =
+                    !(document.getElementById("locationTextBox").value);
   if (gNeedReset) {
     gNeedReset = false;
     resetDialog();
   }
 }
 
 function updateCertStatus() {
   var shortDesc, longDesc;
@@ -196,17 +199,18 @@ function updateCertStatus() {
           longDesc  = exl;
         } else {
           use2 = true;
           shortDesc2 = exs;
           longDesc2  = exl;
         }
       }
       if (gSSLStatus.isUntrusted) {
-        bucketId += gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_UNTRUSTED;
+        bucketId +=
+          gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_UNTRUSTED;
         if (!use1) {
           use1 = true;
           shortDesc = uts;
           longDesc  = utl;
         } else if (!use2) {
           use2 = true;
           shortDesc2 = uts;
           longDesc2  = utl;
@@ -224,17 +228,18 @@ function updateCertStatus() {
       // If the Private Browsing service is available and the mode is active,
       // don't store permanent exceptions, since they would persist after
       // private browsing mode was disabled.
       var inPrivateBrowsing = inPrivateBrowsingMode();
       var pe = document.getElementById("permanent");
       pe.disabled = inPrivateBrowsing;
       pe.checked = !inPrivateBrowsing;
 
-      setText("headerDescription", gPKIBundle.getString("addExceptionInvalidHeader"));
+      setText("headerDescription",
+              gPKIBundle.getString("addExceptionInvalidHeader"));
     } else {
       shortDesc = "addExceptionValidShort";
       longDesc  = "addExceptionValidLong";
       gDialog.getButton("extra1").disabled = true;
       document.getElementById("permanent").disabled = true;
     }
 
     // We're done checking the certificate, so allow the user to check it again.
@@ -296,32 +301,37 @@ function viewCertButtonClick() {
 function addException() {
   if (!gCert || !gSSLStatus) {
     return;
   }
 
   var overrideService = Cc["@mozilla.org/security/certoverride;1"]
                           .getService(Ci.nsICertOverrideService);
   var flags = 0;
-  let confirmBucketId = gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_BASE;
+  let confirmBucketId =
+        gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_BASE;
   if (gSSLStatus.isUntrusted) {
     flags |= overrideService.ERROR_UNTRUSTED;
-    confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_UNTRUSTED;
+    confirmBucketId +=
+        gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_UNTRUSTED;
   }
   if (gSSLStatus.isDomainMismatch) {
     flags |= overrideService.ERROR_MISMATCH;
-    confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_DOMAIN;
+    confirmBucketId +=
+           gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_DOMAIN;
   }
   if (gSSLStatus.isNotValidAtThisTime) {
     flags |= overrideService.ERROR_TIME;
-    confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_TIME;
+    confirmBucketId +=
+           gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_TIME;
   }
 
   var permanentCheckbox = document.getElementById("permanent");
-  var shouldStorePermanently = permanentCheckbox.checked && !inPrivateBrowsingMode();
+  var shouldStorePermanently = permanentCheckbox.checked &&
+                               !inPrivateBrowsingMode();
   if (!permanentCheckbox.checked) {
     gSecHistogram.add(gNsISecTel.WARNING_BAD_CERT_TOP_DONT_REMEMBER_EXCEPTION);
   }
 
   gSecHistogram.add(confirmBucketId);
   var uri = getURI();
   overrideService.rememberValidityOverride(
     uri.asciiHost, uri.port,
--- a/security/manager/ssl/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/TransportSecurityInfo.cpp
@@ -46,17 +46,16 @@ TransportSecurityInfo::TransportSecurity
   , mErrorCode(0)
   , mPort(0)
 {
 }
 
 NS_IMPL_ISUPPORTS(TransportSecurityInfo,
                   nsITransportSecurityInfo,
                   nsIInterfaceRequestor,
-                  nsISSLStatusProvider,
                   nsIAssociatedContentSecurity,
                   nsISerializable,
                   nsIClassInfo)
 
 void
 TransportSecurityInfo::SetHostName(const char* host)
 {
   mHostName.Assign(host);
@@ -360,17 +359,17 @@ static NS_DEFINE_CID(kNSSSocketInfoCID, 
 
 NS_IMETHODIMP
 TransportSecurityInfo::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc)
 {
   *aClassIDNoAlloc = kNSSSocketInfoCID;
   return NS_OK;
 }
 
-nsresult
+NS_IMETHODIMP
 TransportSecurityInfo::GetSSLStatus(nsISSLStatus** _result)
 {
   NS_ENSURE_ARG_POINTER(_result);
 
   *_result = mSSLStatus;
   NS_IF_ADDREF(*_result);
 
   return NS_OK;
--- a/security/manager/ssl/TransportSecurityInfo.h
+++ b/security/manager/ssl/TransportSecurityInfo.h
@@ -11,40 +11,37 @@
 #include "certt.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/BasePrincipal.h"
 #include "mozilla/Mutex.h"
 #include "mozilla/RefPtr.h"
 #include "nsDataHashtable.h"
 #include "nsIAssociatedContentSecurity.h"
 #include "nsIInterfaceRequestor.h"
-#include "nsISSLStatusProvider.h"
 #include "nsITransportSecurityInfo.h"
 #include "nsSSLStatus.h"
 #include "nsString.h"
 #include "pkix/pkixtypes.h"
 
 namespace mozilla { namespace psm {
 
 class TransportSecurityInfo : public nsITransportSecurityInfo
                             , public nsIInterfaceRequestor
-                            , public nsISSLStatusProvider
                             , public nsIAssociatedContentSecurity
                             , public nsISerializable
                             , public nsIClassInfo
 {
 protected:
   virtual ~TransportSecurityInfo() {}
 public:
   TransportSecurityInfo();
 
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSITRANSPORTSECURITYINFO
   NS_DECL_NSIINTERFACEREQUESTOR
-  NS_DECL_NSISSLSTATUSPROVIDER
   NS_DECL_NSIASSOCIATEDCONTENTSECURITY
   NS_DECL_NSISERIALIZABLE
   NS_DECL_NSICLASSINFO
 
   void SetSecurityState(uint32_t aState);
 
   const nsACString & GetHostName() const { return mHostName; }
 
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -31,17 +31,16 @@ XPIDL_SOURCES += [
     'nsIPKCS11Module.idl',
     'nsIPKCS11ModuleDB.idl',
     'nsIPKCS11Slot.idl',
     'nsIProtectedAuthThread.idl',
     'nsISecretDecoderRing.idl',
     'nsISecurityUITelemetry.idl',
     'nsISiteSecurityService.idl',
     'nsISSLStatus.idl',
-    'nsISSLStatusProvider.idl',
     'nsITokenDialogs.idl',
     'nsITokenPasswordDialogs.idl',
     'nsIX509Cert.idl',
     'nsIX509CertDB.idl',
     'nsIX509CertList.idl',
     'nsIX509CertValidity.idl',
 ]
 
deleted file mode 100644
--- a/security/manager/ssl/nsISSLStatusProvider.idl
+++ /dev/null
@@ -1,13 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-interface nsISSLStatus;
-
-[scriptable, uuid(179b1ab1-0950-4427-9556-6f496dc4a27f)]
-interface nsISSLStatusProvider : nsISupports {
-  readonly attribute nsISSLStatus SSLStatus;
-};
--- a/security/manager/ssl/nsSecureBrowserUIImpl.cpp
+++ b/security/manager/ssl/nsSecureBrowserUIImpl.cpp
@@ -84,18 +84,17 @@ nsSecureBrowserUIImpl::nsSecureBrowserUI
   MOZ_ASSERT(NS_IsMainThread());
 
   ResetStateTracking();
 }
 
 NS_IMPL_ISUPPORTS(nsSecureBrowserUIImpl,
                   nsISecureBrowserUI,
                   nsIWebProgressListener,
-                  nsISupportsWeakReference,
-                  nsISSLStatusProvider)
+                  nsISupportsWeakReference)
 
 NS_IMETHODIMP
 nsSecureBrowserUIImpl::Init(mozIDOMWindowProxy* aWindow)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
   if (MOZ_LOG_TEST(gSecureDocLog, LogLevel::Debug)) {
     nsCOMPtr<nsIDOMWindow> window(do_QueryReferent(mWindow));
@@ -369,33 +368,31 @@ nsSecureBrowserUIImpl::EvaluateAndUpdate
 
   mNewToplevelSecurityState =
     GetSecurityStateFromSecurityInfoAndRequest(info, aRequest);
 
   MOZ_LOG(gSecureDocLog, LogLevel::Debug,
           ("SecureUI:%p: OnStateChange: remember mNewToplevelSecurityState => %x\n",
            this, mNewToplevelSecurityState));
 
-  nsCOMPtr<nsISSLStatusProvider> sp(do_QueryInterface(info));
-  if (sp) {
+  nsCOMPtr<nsITransportSecurityInfo> psmInfo(do_QueryInterface(info));
+  if (psmInfo) {
     // Ignore result
     updateStatus = true;
-    (void) sp->GetSSLStatus(getter_AddRefs(temp_SSLStatus));
+    (void) psmInfo->GetSSLStatus(getter_AddRefs(temp_SSLStatus));
     if (temp_SSLStatus) {
       bool aTemp;
       if (NS_SUCCEEDED(temp_SSLStatus->GetIsExtendedValidation(&aTemp))) {
         mNewToplevelIsEV = aTemp;
       }
     }
+    mSecInfo = psmInfo;
   }
 
   mNewToplevelSecurityStateKnown = true;
-  if (updateStatus) {
-    mSSLStatus = temp_SSLStatus;
-  }
   MOZ_LOG(gSecureDocLog, LogLevel::Debug,
          ("SecureUI:%p: remember securityInfo %p\n", this,
           info));
   nsCOMPtr<nsIAssociatedContentSecurity> associatedContentSecurityFromRequest(
     do_QueryInterface(aRequest));
   if (associatedContentSecurityFromRequest) {
     mCurrentToplevelSecurityInfo = aRequest;
   } else {
@@ -1009,17 +1006,17 @@ nsSecureBrowserUIImpl::UpdateSecuritySta
   bool flagsChanged = false;
   if (mNotifiedSecurityState != newSecurityState) {
     // Something changed since the last time.
     flagsChanged = true;
     mNotifiedSecurityState = newSecurityState;
 
     // If we have no security, we also shouldn't have any SSL status.
     if (newSecurityState == lis_no_security) {
-      mSSLStatus = nullptr;
+      mSecInfo = nullptr;
     }
   }
 
   if (mNotifiedToplevelIsEV != mNewToplevelIsEV) {
     flagsChanged = true;
     mNotifiedToplevelIsEV = mNewToplevelIsEV;
   }
 
@@ -1161,19 +1158,18 @@ nsSecureBrowserUIImpl::OnSecurityChange(
            ("SecureUI:%p: OnSecurityChange: (%x) %s\n", this,
             state, aURI->GetSpecOrDefault().get()));
   }
 #endif
 
   return NS_OK;
 }
 
-// nsISSLStatusProvider methods
 NS_IMETHODIMP
-nsSecureBrowserUIImpl::GetSSLStatus(nsISSLStatus** _result)
+nsSecureBrowserUIImpl::GetSecInfo(nsITransportSecurityInfo** _result)
 {
   NS_ENSURE_ARG_POINTER(_result);
   MOZ_ASSERT(NS_IsMainThread());
 
   switch (mNotifiedSecurityState)
   {
     case lis_broken_security:
     case lis_mixed_security:
@@ -1182,13 +1178,13 @@ nsSecureBrowserUIImpl::GetSSLStatus(nsIS
 
     default:
       MOZ_FALLTHROUGH_ASSERT("if this is reached you must add more entries to the switch");
     case lis_no_security:
       *_result = nullptr;
       return NS_OK;
   }
 
-  *_result = mSSLStatus;
+  *_result = mSecInfo;
   NS_IF_ADDREF(*_result);
 
   return NS_OK;
 }
--- a/security/manager/ssl/nsSecureBrowserUIImpl.h
+++ b/security/manager/ssl/nsSecureBrowserUIImpl.h
@@ -5,44 +5,41 @@
 
 #ifndef nsSecureBrowserUIImpl_h
 #define nsSecureBrowserUIImpl_h
 
 #include "PLDHashTable.h"
 #include "mozilla/ReentrancyGuard.h"
 #include "nsCOMPtr.h"
 #include "nsINetUtil.h"
-#include "nsISSLStatusProvider.h"
 #include "nsISecureBrowserUI.h"
 #include "nsISecurityEventSink.h"
 #include "nsIURI.h"
 #include "nsIWebProgressListener.h"
 #include "nsWeakReference.h"
 
-class nsISSLStatus;
+class nsITransportSecurityInfo;
 class nsIChannel;
 
 #define NS_SECURE_BROWSER_UI_CID \
 { 0xcc75499a, 0x1dd1, 0x11b2, {0x8a, 0x82, 0xca, 0x41, 0x0a, 0xc9, 0x07, 0xb8}}
 
 
 class nsSecureBrowserUIImpl : public nsISecureBrowserUI,
                               public nsIWebProgressListener,
-                              public nsSupportsWeakReference,
-                              public nsISSLStatusProvider
+                              public nsSupportsWeakReference
 {
   friend class mozilla::ReentrancyGuard;
 
 public:
   nsSecureBrowserUIImpl();
 
   NS_DECL_ISUPPORTS
   NS_DECL_NSIWEBPROGRESSLISTENER
   NS_DECL_NSISECUREBROWSERUI
-  NS_DECL_NSISSLSTATUSPROVIDER
 
 protected:
   virtual ~nsSecureBrowserUIImpl() {};
 
   nsWeakPtr mWindow;
   nsWeakPtr mDocShell;
   nsCOMPtr<nsINetUtil> mIOService;
   nsCOMPtr<nsIURI> mCurrentURI;
@@ -82,15 +79,15 @@ protected:
 
   void EvaluateAndUpdateSecurityState(nsIRequest* aRequest, nsISupports *info,
                                       bool withNewLocation, bool withNewSink);
   void UpdateSubrequestMembers(nsISupports* securityInfo, nsIRequest* request);
 
   void ObtainEventSink(nsIChannel *channel,
                        nsCOMPtr<nsISecurityEventSink> &sink);
 
-  nsCOMPtr<nsISSLStatus> mSSLStatus;
+  nsCOMPtr<nsITransportSecurityInfo> mSecInfo;
   nsCOMPtr<nsISupports> mCurrentToplevelSecurityInfo;
 
   PLDHashTable mTransferringRequests;
 };
 
 #endif // nsSecureBrowserUIImpl_h
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -715,18 +715,17 @@ FakeSSLStatus.prototype = {
   QueryInterface: ChromeUtils.generateQI(["nsISSLStatus"]),
 };
 
 // Utility functions for adding tests relating to certificate error overrides
 
 // Helper function for add_cert_override_test. Probably doesn't need to be
 // called directly.
 function add_cert_override(aHost, aExpectedBits, aSecurityInfo) {
-  let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                               .SSLStatus;
+  let sslstatus = aSecurityInfo.SSLStatus;
   let bits =
     (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
     (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
     (sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
 
   Assert.equal(bits, aExpectedBits,
                "Actual and expected override bits should match");
   let cert = sslstatus.serverCert;
@@ -744,32 +743,30 @@ function add_cert_override_test(aHost, a
                                 aExpectedSSLStatus = undefined) {
   add_connection_test(aHost, aExpectedError, null,
                       add_cert_override.bind(this, aHost, aExpectedBits));
   add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
     Assert.ok(aSecurityInfo.securityState &
               Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
               "Cert override flag should be set on the security state");
     if (aExpectedSSLStatus) {
-      let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                                  .SSLStatus;
+      let sslstatus = aSecurityInfo.SSLStatus;
       if (aExpectedSSLStatus.failedCertChain) {
         ok(aExpectedSSLStatus.failedCertChain.equals(sslstatus.failedCertChain));
       }
     }
   });
 }
 
 // Helper function for add_prevented_cert_override_test. This is much like
 // add_cert_override except it may not be the case that the connection has an
 // SSLStatus set on it. In this case, the error was not overridable anyway, so
 // we consider it a success.
 function attempt_adding_cert_override(aHost, aExpectedBits, aSecurityInfo) {
-  let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                               .SSLStatus;
+  let sslstatus = aSecurityInfo.SSLStatus;
   if (sslstatus) {
     let bits =
       (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
       (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
       (sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
     Assert.equal(bits, aExpectedBits,
                  "Actual and expected override bits should match");
     let cert = sslstatus.serverCert;
--- a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
@@ -5,18 +5,17 @@
 "use strict";
 
 // Tests that permanent certificate error overrides can be added even if the
 // certificate/key databases are in read-only mode.
 
 // Helper function for add_read_only_cert_override_test. Probably doesn't need
 // to be called directly.
 function add_read_only_cert_override(aHost, aExpectedBits, aSecurityInfo) {
-  let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                               .SSLStatus;
+  let sslstatus = aSecurityInfo.SSLStatus;
   let bits =
     (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
     (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
     (sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
 
   Assert.equal(bits, aExpectedBits,
                "Actual and expected override bits should match");
   let cert = sslstatus.serverCert;
--- a/security/manager/ssl/tests/unit/test_ct.js
+++ b/security/manager/ssl/tests/unit/test_ct.js
@@ -6,18 +6,17 @@
 "use strict";
 
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb  = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
 
 function expectCT(value) {
   return (securityInfo) => {
-    let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                                .SSLStatus;
+    let sslStatus = securityInfo.SSLStatus;
     Assert.equal(sslStatus.certificateTransparencyStatus, value,
                  "actual and expected CT status should match");
   };
 }
 
 registerCleanupFunction(() => {
   Services.prefs.clearUserPref("security.pki.certificate_transparency.mode");
 });
--- a/security/manager/ssl/tests/unit/test_session_resumption.js
+++ b/security/manager/ssl/tests/unit/test_session_resumption.js
@@ -36,19 +36,17 @@ function add_resume_non_ev_with_override
   // This connects again, using session resumption. Note that we don't clear
   // the TLS session cache between these operations (that would defeat the
   // purpose).
   add_connection_test("expired.example.com", PRErrorCodeSuccess, null,
     (transportSecurityInfo) => {
       ok(transportSecurityInfo.securityState &
          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
          "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag");
-      let sslStatus = transportSecurityInfo
-                        .QueryInterface(Ci.nsISSLStatusProvider)
-                        .SSLStatus;
+      let sslStatus = transportSecurityInfo.SSLStatus;
       ok(!sslStatus.succeededCertChain,
          "ev-test.example.com should not have succeededCertChain set");
       ok(!sslStatus.isDomainMismatch,
          "expired.example.com should not have isDomainMismatch set");
       ok(sslStatus.isNotValidAtThisTime,
          "expired.example.com should have isNotValidAtThisTime set");
       ok(!sslStatus.isUntrusted,
          "expired.example.com should not have isUntrusted set");
@@ -63,19 +61,17 @@ function add_resume_non_ev_with_override
 // build). This assumes that an appropriate OCSP responder is running or that
 // good responses are cached.
 function add_one_ev_test() {
   add_connection_test("ev-test.example.com", PRErrorCodeSuccess, null,
     (transportSecurityInfo) => {
       ok(!(transportSecurityInfo.securityState &
            Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
          "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag");
-      let sslStatus = transportSecurityInfo
-                        .QueryInterface(Ci.nsISSLStatusProvider)
-                        .SSLStatus;
+      let sslStatus = transportSecurityInfo.SSLStatus;
       ok(sslStatus.succeededCertChain,
          "ev-test.example.com should have succeededCertChain set");
       ok(!sslStatus.isDomainMismatch,
          "ev-test.example.com should not have isDomainMismatch set");
       ok(!sslStatus.isNotValidAtThisTime,
          "ev-test.example.com should not have isNotValidAtThisTime set");
       ok(!sslStatus.isUntrusted,
          "ev-test.example.com should not have isUntrusted set");
@@ -125,19 +121,17 @@ const GOOD_DOMAIN = "good.include-subdom
 // succeed (but isn't EV) and verifies that its succeededCertChain gets set
 // appropriately.
 function add_one_non_ev_test() {
   add_connection_test(GOOD_DOMAIN, PRErrorCodeSuccess, null,
     (transportSecurityInfo) => {
       ok(!(transportSecurityInfo.securityState &
            Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
          `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`);
-      let sslStatus = transportSecurityInfo
-                        .QueryInterface(Ci.nsISSLStatusProvider)
-                        .SSLStatus;
+      let sslStatus = transportSecurityInfo.SSLStatus;
       ok(sslStatus.succeededCertChain,
          `${GOOD_DOMAIN} should have succeededCertChain set`);
       ok(!sslStatus.isDomainMismatch,
          `${GOOD_DOMAIN} should not have isDomainMismatch set`);
       ok(!sslStatus.isNotValidAtThisTime,
          `${GOOD_DOMAIN} should not have isNotValidAtThisTime set`);
       ok(!sslStatus.isUntrusted,
          `${GOOD_DOMAIN} should not have isUntrusted set`);
--- a/security/manager/ssl/tests/unit/test_ssl_status.js
+++ b/security/manager/ssl/tests/unit/test_ssl_status.js
@@ -15,31 +15,31 @@ function run_test() {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
   });
   fakeOCSPResponder.start(8888);
 
   // Test successful connection (failedCertChain should be null,
   // succeededCertChain should be set as expected)
   add_connection_test(
     "good.include-subdomains.pinning.example.com", PRErrorCodeSuccess, null,
-    function withSecurityInfo(aSSLStatus) {
-      let sslstatus = aSSLStatus.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+    function withSecurityInfo(aSecInfo) {
+      let sslstatus = aSecInfo.SSLStatus;
       equal(sslstatus.failedCertChain, null,
             "failedCertChain for a successful connection should be null");
       ok(sslstatus.succeededCertChain.equals(build_cert_chain(["default-ee", "test-ca"])),
             "succeededCertChain for a successful connection should be as expected");
     }
   );
 
   // Test failed connection (failedCertChain should be set as expected,
   // succeededCertChain should be null)
   add_connection_test(
     "expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE, null,
-    function withSecurityInfo(aSSLStatus) {
-      let sslstatus = aSSLStatus.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+    function withSecurityInfo(aSecInfo) {
+      let sslstatus = aSecInfo.SSLStatus;
       equal(sslstatus.succeededCertChain, null,
             "succeededCertChain for a failed connection should be null");
       ok(sslstatus.failedCertChain.equals(build_cert_chain(["expired-ee", "test-ca"])),
             "failedCertChain for a failed connection should be as expected");
     }
   );
 
   // Ensure the correct failed cert chain is set on cert override
--- a/security/manager/tools/getHSTSPreloadList.js
+++ b/security/manager/tools/getHSTSPreloadList.js
@@ -106,18 +106,18 @@ function getHosts(rawdata) {
 
 function processStsHeader(host, header, status, securityInfo) {
   let maxAge = { value: 0 };
   let includeSubdomains = { value: false };
   let error = ERROR_NONE;
   if (header != null && securityInfo != null) {
     try {
       let uri = Services.io.newURI("https://" + host.name);
-      let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                                  .SSLStatus;
+      let sslStatus = securityInfo.
+                       QueryInterface(Ci.nsITransportSecurityInfo).SSLStatus;
       gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS,
                                uri, header, sslStatus, 0,
                                Ci.nsISiteSecurityService.SOURCE_PRELOAD_LIST,
                                {}, maxAge, includeSubdomains);
     } catch (e) {
       dump("ERROR: could not process header '" + header + "' from " +
            host.name + ": " + e + "\n");
       error = e;
--- a/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py
+++ b/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py
@@ -37,18 +37,17 @@ class Security(BaseLib):
         """The SSL certificate assiciated with the loaded web page in the given tab.
 
         :param tab_element: The inner tab DOM element.
 
         :returns: Certificate details as JSON object.
         """
         cert = self.marionette.execute_script("""
           var securityUI = arguments[0].linkedBrowser.securityUI;
-          var status = securityUI.QueryInterface(Components.interfaces.nsISSLStatusProvider)
-                                 .SSLStatus;
+          var status = securityUI.secInfo.SSLStatus;
 
           return status ? status.serverCert : null;
         """, script_args=[tab_element])
 
         uri = self.marionette.execute_script("""
           return arguments[0].linkedBrowser.currentURI.spec;
         """, script_args=[tab_element])
 
--- a/toolkit/content/browser-child.js
+++ b/toolkit/content/browser-child.js
@@ -210,17 +210,17 @@ var WebProgressListener = {
     this._send("Content:StatusChange", json, objects);
   },
 
   onSecurityChange: function onSecurityChange(aWebProgress, aRequest, aState) {
     let json = this._setupJSON(aWebProgress, aRequest);
     let objects = this._setupObjects(aWebProgress, aRequest);
 
     json.state = aState;
-    json.status = SecurityUI.getSSLStatusAsString();
+    json.secInfo = SecurityUI.getSecInfoAsString();
 
     json.matchedList = null;
     if (aRequest && aRequest instanceof Ci.nsIClassifiedChannel) {
       json.matchedList = aRequest.matchedList;
     }
 
     this._send("Content:SecurityChange", json, objects);
   },
@@ -369,25 +369,27 @@ var WebNavigation =  {
   stop(flags) {
     this.webNavigation.stop(flags);
   }
 };
 
 WebNavigation.init();
 
 var SecurityUI = {
-  getSSLStatusAsString() {
-    let status = docShell.securityUI.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+  getSecInfoAsString() {
+    let secInfo = docShell.securityUI.secInfo;
 
-    if (status) {
-      let helper = Cc["@mozilla.org/network/serialization-helper;1"]
-                      .getService(Ci.nsISerializationHelper);
+    if (secInfo) {
+      if (secInfo) {
+        let helper = Cc["@mozilla.org/network/serialization-helper;1"]
+                        .getService(Ci.nsISerializationHelper);
 
-      status.QueryInterface(Ci.nsISerializable);
-      return helper.serializeToString(status);
+        secInfo.QueryInterface(Ci.nsISerializable);
+        return helper.serializeToString(secInfo);
+      }
     }
 
     return null;
   }
 };
 
 var ControllerCommands = {
   init() {
--- a/toolkit/modules/CertUtils.jsm
+++ b/toolkit/modules/CertUtils.jsm
@@ -138,17 +138,17 @@ function checkCert(aChannel, aAllowNonBu
     // Require https if there are certificate values to verify
     if (aCerts) {
       throw new Ce("SSL is required and URI scheme is not https.",
                    Cr.NS_ERROR_UNEXPECTED);
     }
     return;
   }
 
-  let sslStatus = aChannel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+  let sslStatus = aChannel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
                           .SSLStatus;
   let cert = sslStatus.serverCert;
 
   validateCert(cert, aCerts);
 
   if (aAllowNonBuiltInCerts === true) {
     return;
   }
--- a/toolkit/modules/RemoteSecurityUI.jsm
+++ b/toolkit/modules/RemoteSecurityUI.jsm
@@ -3,27 +3,25 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 var EXPORTED_SYMBOLS = ["RemoteSecurityUI"];
 
 ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm");
 
 function RemoteSecurityUI() {
-    this._SSLStatus = null;
+    this._secInfo = null;
     this._state = 0;
 }
 
 RemoteSecurityUI.prototype = {
-  QueryInterface: ChromeUtils.generateQI([Ci.nsISSLStatusProvider, Ci.nsISecureBrowserUI]),
-
-  // nsISSLStatusProvider
-  get SSLStatus() { return this._SSLStatus; },
+  QueryInterface: ChromeUtils.generateQI([Ci.nsISecureBrowserUI]),
 
   // nsISecureBrowserUI
   get state() { return this._state; },
   get tooltipText() { return ""; },
+  get secInfo() { return this._secInfo; },
 
-  _update(aStatus, aState) {
-    this._SSLStatus = aStatus;
+  _update(aSecInfo, aState) {
+    this._secInfo = aSecInfo;
     this._state = aState;
   }
 };
--- a/toolkit/modules/RemoteWebProgress.jsm
+++ b/toolkit/modules/RemoteWebProgress.jsm
@@ -105,24 +105,24 @@ RemoteWebProgressManager.prototype = {
     });
   },
 
   removeProgressListener(aListener) {
     this._progressListeners =
       this._progressListeners.filter(l => l.listener != aListener);
   },
 
-  _fixSSLStatusAndState(aStatus, aState) {
+  _fixSecInfoAndState(aSecInfo, aState) {
     let deserialized = null;
-    if (aStatus) {
+    if (aSecInfo) {
       let helper = Cc["@mozilla.org/network/serialization-helper;1"]
                     .getService(Ci.nsISerializationHelper);
 
-      deserialized = helper.deserializeObject(aStatus);
-      deserialized.QueryInterface(Ci.nsISSLStatus);
+      deserialized = helper.deserializeObject(aSecInfo);
+      deserialized.QueryInterface(Ci.nsITransportSecurityInfo);
     }
 
     return [deserialized, aState];
   },
 
   setCurrentURI(aURI) {
     // This function is simpler than nsDocShell::SetCurrentURI since
     // it doesn't have to deal with child docshells.
@@ -236,24 +236,24 @@ RemoteWebProgressManager.prototype = {
 
       this._callProgressListeners(
         Ci.nsIWebProgress.NOTIFY_LOCATION, "onLocationChange", webProgress,
         request, location, flags
       );
       break;
 
     case "Content:SecurityChange":
-      let [status, state] = this._fixSSLStatusAndState(json.status, json.state);
+      let [secInfo, state] = this._fixSecInfoAndState(json.secInfo, json.state);
 
       if (isTopLevel) {
         // Invoking this getter triggers the generation of the underlying object,
         // which we need to access with ._securityUI, because .securityUI returns
         // a wrapper that makes _update inaccessible.
         void this._browser.securityUI;
-        this._browser._securityUI._update(status, state);
+        this._browser._securityUI._update(secInfo, state);
       }
 
       this._callProgressListeners(
         Ci.nsIWebProgress.NOTIFY_SECURITY, "onSecurityChange", webProgress,
         request, state
       );
       break;
 
--- a/toolkit/modules/addons/SecurityInfo.jsm
+++ b/toolkit/modules/addons/SecurityInfo.jsm
@@ -89,17 +89,16 @@ const SecurityInfo = {
      */
 
     let securityInfo = channel.securityInfo;
     if (!securityInfo) {
       return info;
     }
 
     securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
-    securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
 
     const SSLStatus = securityInfo.SSLStatus;
     if (NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) {
       // The connection failed.
       info.state = "broken";
       info.errorMessage = securityInfo.errorMessage;
       if (options.certificateChain && SSLStatus.failedCertChain) {
         info.certificates = this.getCertificateChain(SSLStatus.failedCertChain, options);
--- a/toolkit/modules/tests/chrome/test_bug544442_checkCert.xul
+++ b/toolkit/modules/tests/chrome/test_bug544442_checkCert.xul
@@ -82,17 +82,17 @@ function testXHRLoad(aEvent) {
      "attribute that does not exist on the certificate");
 
   certs = [ { issuerName: "Incorrect issuerName" } ];
   is(getCheckCertResult(channel, false, certs), Cr.NS_ERROR_ILLEGAL_VALUE,
      "checkCert should throw NS_ERROR_ILLEGAL_VALUE when the certificate " +
      "attributes array passed to checkCert has an element that has an " +
      "issuerName that is not the same as the certificate's");
 
-  var cert = channel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider).
+  var cert = channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo).
              SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert;
 
   certs = [ { issuerName: cert.issuerName,
               commonName: cert.commonName } ];
   is(getCheckCertResult(channel, false, certs), Cr.NS_ERROR_ABORT,
      "checkCert should throw NS_ERROR_ABORT when the certificate attributes " +
      "array passed to checkCert has a single element that has the same " +
      "issuerName and commonName as the certificate's and the certificate is " +
--- a/toolkit/mozapps/update/nsUpdateService.js
+++ b/toolkit/mozapps/update/nsUpdateService.js
@@ -3111,17 +3111,17 @@ Checker.prototype = {
   onError: function UC_onError(event) {
     var request = event.target;
     var status = this._getChannelStatus(request);
     LOG("Checker:onError - request.status: " + status);
 
     // Set MitM pref.
     try {
       var sslStatus = request.channel.QueryInterface(Ci.nsIRequest)
-                        .securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+                        .securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
                         .SSLStatus.QueryInterface(Ci.nsISSLStatus);
       if (sslStatus && sslStatus.serverCert && sslStatus.serverCert.issuerName) {
         Services.prefs.setStringPref("security.pki.mitm_canary_issuer",
                                      sslStatus.serverCert.issuerName);
       }
     } catch (e) {
       LOG("Checker:onError - Getting sslStatus failed.");
     }