Bug 1350599 - Use guaranteed preloaded test domains instead of real domains in HSTS tests. r?keeler draft
authorCykesiopka <cykesiopka.bmo@gmail.com>
Mon, 27 Mar 2017 22:56:38 +0800
changeset 551864 6812de82e798c5c9345ef95fb9802065131ca3b8
parent 551845 f7f87b8596e04521ed99443159edfe5b8c446fc3
child 621646 1ce3874c680692bd33a370d6a746227bca995eb9
push id51166
push usercykesiopka.bmo@gmail.com
push dateMon, 27 Mar 2017 14:57:12 +0000
reviewerskeeler
bugs1350599
milestone55.0a1
Bug 1350599 - Use guaranteed preloaded test domains instead of real domains in HSTS tests. r?keeler Some of our tests currently assume that certain real domains are HSTS preloaded. While most of the time these domains are in fact preloaded, this may change during periods of maintenance or other events. To avoid this, the changes here perform the following renames: bugzilla.mozilla.org -> includesubdomains.preloaded.test login.persona.org -> includesubdomains2.preloaded.test www.torproject.org -> noincludesubdomains.preloaded.test In addition, some tests that refer to mozilla.com (but don't depend on it being preloaded) are made to refer to example.com instead to avoid referring to real domains in tests. MozReview-Commit-ID: 3987moJnKGk
security/manager/ssl/tests/unit/sss_readstate_child_worker.js
security/manager/ssl/tests/unit/test_sss_readstate.js
security/manager/ssl/tests/unit/test_sss_readstate_child.js
security/manager/ssl/tests/unit/test_sss_readstate_empty.js
security/manager/ssl/tests/unit/test_sss_savestate.js
security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/manager/ssl/tests/unit/sss_readstate_child_worker.js
+++ b/security/manager/ssl/tests/unit/sss_readstate_child_worker.js
@@ -7,27 +7,27 @@ function run_test() {
 
   ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                             Services.io.newURI("https://expired.example.com"),
                             0));
   ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                            Services.io.newURI("https://notexpired.example.com"),
                            0));
   ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                           Services.io.newURI("https://bugzilla.mozilla.org"),
+                           Services.io.newURI("https://includesubdomains.preloaded.test"),
                            0));
   ok(!SSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://sub.includesubdomains.preloaded.test"), 0));
   ok(SSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://incsubdomain.example.com"), 0));
   ok(SSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://sub.incsubdomain.example.com"), 0));
   ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://login.persona.org"),
+                            Services.io.newURI("https://includesubdomains2.preloaded.test"),
                             0));
   ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://sub.login.persona.org"),
+                            Services.io.newURI("https://sub.includesubdomains2.preloaded.test"),
                             0));
   do_test_finished();
 }
--- a/security/manager/ssl/tests/unit/test_sss_readstate.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate.js
@@ -21,76 +21,76 @@ function checkStateRead(aSubject, aTopic
 
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                              Services.io.newURI("https://expired.example.com"),
                              0));
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                             Services.io.newURI("https://notexpired.example.com"),
                             0));
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
+                            Services.io.newURI("https://includesubdomains.preloaded.test"),
                             0));
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://sub.includesubdomains.preloaded.test"), 0));
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://incsubdomain.example.com"), 0));
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://sub.incsubdomain.example.com"), 0));
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://login.persona.org"),
+                             Services.io.newURI("https://includesubdomains2.preloaded.test"),
                              0));
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.login.persona.org"), 0));
+       Services.io.newURI("https://sub.includesubdomains2.preloaded.test"), 0));
 
   // Clearing the data should make everything go back to default.
   gSSService.clearAll();
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                              Services.io.newURI("https://expired.example.com"),
                              0));
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://notexpired.example.com"), 0));
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
+                            Services.io.newURI("https://includesubdomains.preloaded.test"),
                             0));
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://sub.includesubdomains.preloaded.test"), 0));
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://incsubdomain.example.com"), 0));
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://sub.incsubdomain.example.com"), 0));
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://login.persona.org"), 0));
+                            Services.io.newURI("https://includesubdomains2.preloaded.test"), 0));
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://sub.login.persona.org"),
+                            Services.io.newURI("https://sub.includesubdomains2.preloaded.test"),
                             0));
   do_test_finished();
 }
 
 function run_test() {
   let profileDir = do_get_profile();
   let stateFile = profileDir.clone();
   stateFile.append(SSS_STATE_FILE_NAME);
   // Assuming we're working with a clean slate, the file shouldn't exist
   // until we create it.
   ok(!stateFile.exists());
   let outputStream = FileUtils.openFileOutputStream(stateFile);
   let now = (new Date()).getTime();
   writeLine("expired.example.com:HSTS\t0\t0\t" + (now - 100000) + ",1,0\n", outputStream);
   writeLine("notexpired.example.com:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
   // This overrides an entry on the preload list.
-  writeLine("bugzilla.mozilla.org:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
+  writeLine("includesubdomains.preloaded.test:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
   writeLine("incsubdomain.example.com:HSTS\t0\t0\t" + (now + 100000) + ",1,1\n", outputStream);
   // This overrides an entry on the preload list.
-  writeLine("login.persona.org:HSTS\t0\t0\t0,2,0\n", outputStream);
+  writeLine("includesubdomains2.preloaded.test:HSTS\t0\t0\t0,2,0\n", outputStream);
   outputStream.close();
   Services.obs.addObserver(checkStateRead, "data-storage-ready", false);
   do_test_pending();
   gSSService = Cc["@mozilla.org/ssservice;1"]
                  .getService(Ci.nsISiteSecurityService);
   notEqual(gSSService, null);
 }
--- a/security/manager/ssl/tests/unit/test_sss_readstate_child.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_child.js
@@ -23,19 +23,19 @@ function run_test() {
   // Assuming we're working with a clean slate, the file shouldn't exist
   // until we create it.
   ok(!stateFile.exists());
   let outputStream = FileUtils.openFileOutputStream(stateFile);
   let now = (new Date()).getTime();
   writeLine("expired.example.com:HSTS\t0\t0\t" + (now - 100000) + ",1,0\n", outputStream);
   writeLine("notexpired.example.com:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
   // This overrides an entry on the preload list.
-  writeLine("bugzilla.mozilla.org:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
+  writeLine("includesubdomains.preloaded.test:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
   writeLine("incsubdomain.example.com:HSTS\t0\t0\t" + (now + 100000) + ",1,1\n", outputStream);
   // This overrides an entry on the preload list.
-  writeLine("login.persona.org:HSTS\t0\t0\t0,2,0\n", outputStream);
+  writeLine("includesubdomains2.preloaded.test:HSTS\t0\t0\t0,2,0\n", outputStream);
   outputStream.close();
   Services.obs.addObserver(start_test_in_child, "data-storage-ready", false);
   do_test_pending();
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   notEqual(SSService, null);
 }
--- a/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
@@ -8,19 +8,18 @@
 
 var gSSService = null;
 
 function checkStateRead(aSubject, aTopic, aData) {
   // nonexistent.example.com should never be an HSTS host
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://nonexistent.example.com"), 0));
-  // bugzilla.mozilla.org is preloaded
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
+                            Services.io.newURI("https://includesubdomains.preloaded.test"),
                             0));
   // notexpired.example.com is an HSTS host in a different test - we
   // want to make sure that test hasn't interfered with this one.
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://notexpired.example.com"), 0));
   do_test_finished();
 }
--- a/security/manager/ssl/tests/unit/test_sss_savestate.js
+++ b/security/manager/ssl/tests/unit/test_sss_savestate.js
@@ -47,20 +47,20 @@ function checkStateWritten(aSubject, aTo
   // We can receive multiple data-storage-written events. In particular, we
   // may receive one where DataStorage wrote out data before we were done
   // processing all of our headers. In this case, the data may not be
   // as we expect. We only care about the final one being correct, however,
   // so we return and wait for the next event if things aren't as we expect.
   // sites[url][1] corresponds to SecurityPropertySet (if 1) and
   //                              SecurityPropertyUnset (if 0)
   // sites[url][2] corresponds to includeSubdomains
-  if (sites["bugzilla.mozilla.org:HSTS"][1] != 1) {
+  if (sites["includesubdomains.preloaded.test:HSTS"][1] != 1) {
     return;
   }
-  if (sites["bugzilla.mozilla.org:HSTS"][2] != 0) {
+  if (sites["includesubdomains.preloaded.test:HSTS"][2] != 0) {
     return;
   }
   if (sites["a.example.com:HSTS"][1] != 1) {
     return;
   }
   if (sites["a.example.com:HSTS"][2] != 1) {
     return;
   }
@@ -98,17 +98,17 @@ function run_test() {
   gProfileDir = do_get_profile();
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   // Put an HPKP entry
   SSService.setKeyPins("dynamic-pin.example.com", true,
                        new Date().getTime() + 1000000, 1,
                        [NON_ISSUED_KEY_HASH]);
 
-  let uris = [ Services.io.newURI("http://bugzilla.mozilla.org"),
+  let uris = [ Services.io.newURI("http://includesubdomains.preloaded.test"),
                Services.io.newURI("http://a.example.com"),
                Services.io.newURI("http://b.example.com"),
                Services.io.newURI("http://c.c.example.com"),
                Services.io.newURI("http://d.example.com") ];
 
   for (let i = 0; i < 1000; i++) {
     let uriIndex = i % uris.length;
     // vary max-age
--- a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
@@ -1,13 +1,8 @@
-// This test attempts to use only domains that are likely to remain on the
-// preload list for a long time. Currently this includes bugzilla.mozilla.org
-// and login.persona.org because they are Mozilla properties and we are
-// invested in HSTS. Additionally, www.torproject.org was deemed likely to
-// continue to use HSTS.
 "use strict";
 
 var gSSService = Cc["@mozilla.org/ssservice;1"]
                    .getService(Ci.nsISiteSecurityService);
 
 function Observer() {}
 Observer.prototype = {
   observe(subject, topic, data) {
@@ -35,57 +30,57 @@ function run_test() {
 
   run_next_test();
 }
 
 function test_part1() {
   // check that a host not in the list is not identified as an sts host
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://nonexistent.mozilla.com"), 0));
+       Services.io.newURI("https://nonexistent.example.com"), 0));
 
   // check that an ancestor domain is not identified as an sts host
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                              Services.io.newURI("https://com"), 0));
 
   // check that the pref to toggle using the preload list works
   Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", false);
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://bugzilla.mozilla.org"),
+                             Services.io.newURI("https://includesubdomains.preloaded.test"),
                              0));
   Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", true);
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
+                            Services.io.newURI("https://includesubdomains.preloaded.test"),
                             0));
 
   // check that a subdomain is an sts host (includeSubdomains is set)
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://subdomain.includesubdomains.preloaded.test"), 0));
 
   // check that another subdomain is an sts host (includeSubdomains is set)
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://a.b.c.def.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://a.b.c.def.includesubdomains.preloaded.test"), 0));
 
   // check that a subdomain is not an sts host (includeSubdomains is not set)
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.www.torproject.org"), 0));
+       Services.io.newURI("https://subdomain.noincludesubdomains.preloaded.test"), 0));
 
   // check that a host with a dot on the end won't break anything
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://notsts.nonexistent.mozilla.com."), 0));
+       Services.io.newURI("https://notsts.nonexistent.example.com."), 0));
 
   // check that processing a header with max-age: 0 will remove a preloaded
   // site from the list
-  let uri = Services.io.newURI("https://bugzilla.mozilla.org");
+  let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
   let subDomainUri =
-    Services.io.newURI("https://subdomain.bugzilla.mozilla.org");
+    Services.io.newURI("https://subdomain.includesubdomains.preloaded.test");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                              subDomainUri, 0));
   // check that processing another header (with max-age non-zero) will
   // re-enable a site's sts status
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
@@ -93,92 +88,92 @@ function test_part1() {
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
   // but this time include subdomains was not set, so test for that
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                              subDomainUri, 0));
   gSSService.clearAll();
 
   // check that processing a header with max-age: 0 from a subdomain of a site
   // will not remove that (ancestor) site from the list
-  uri = Services.io.newURI("https://subdomain.www.torproject.org");
+  uri = Services.io.newURI("https://subdomain.noincludesubdomains.preloaded.test");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://www.torproject.org"),
+                            Services.io.newURI("https://noincludesubdomains.preloaded.test"),
                             0));
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
 
-  uri = Services.io.newURI("https://subdomain.bugzilla.mozilla.org");
+  uri = Services.io.newURI("https://subdomain.includesubdomains.preloaded.test");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
   // we received a header with "max-age=0", so we have "no information"
-  // regarding the sts state of subdomain.bugzilla.mozilla.org specifically,
+  // regarding the sts state of subdomain.includesubdomains.preloaded.test specifically,
   // but it is actually still an STS host, because of the preloaded
-  // bugzilla.mozilla.org including subdomains.
+  // includesubdomains.preloaded.test including subdomains.
   // Here's a drawing:
-  // |-- bugzilla.mozilla.org (in preload list, includes subdomains) IS sts host
-  //     |-- subdomain.bugzilla.mozilla.org                          IS sts host
-  //     |   `-- another.subdomain.bugzilla.mozilla.org              IS sts host
-  //     `-- sibling.bugzilla.mozilla.org                            IS sts host
+  // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+  //     |-- subdomain.includesubdomains.preloaded.test                          IS sts host
+  //     |   `-- another.subdomain.includesubdomains.preloaded.test              IS sts host
+  //     `-- sibling.includesubdomains.preloaded.test                            IS sts host
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
+                            Services.io.newURI("https://includesubdomains.preloaded.test"),
                             0));
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://subdomain.includesubdomains.preloaded.test"), 0));
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sibling.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://sibling.includesubdomains.preloaded.test"), 0));
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://another.subdomain.bugzilla.mozilla.org"),
+       Services.io.newURI("https://another.subdomain.includesubdomains.preloaded.test"),
        0));
 
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1000", sslStatus, 0);
   // Here's what we have now:
-  // |-- bugzilla.mozilla.org (in preload list, includes subdomains) IS sts host
-  //     |-- subdomain.bugzilla.mozilla.org (include subdomains is false) IS sts host
-  //     |   `-- another.subdomain.bugzilla.mozilla.org              IS NOT sts host
-  //     `-- sibling.bugzilla.mozilla.org                            IS sts host
+  // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+  //     |-- subdomain.includesubdomains.preloaded.test (include subdomains is false) IS sts host
+  //     |   `-- another.subdomain.includesubdomains.preloaded.test              IS NOT sts host
+  //     `-- sibling.includesubdomains.preloaded.test                            IS sts host
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://subdomain.includesubdomains.preloaded.test"), 0));
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sibling.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://sibling.includesubdomains.preloaded.test"), 0));
   ok(!gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://another.subdomain.bugzilla.mozilla.org"),
+       Services.io.newURI("https://another.subdomain.includesubdomains.preloaded.test"),
        0));
 
   // Test that an expired non-private browsing entry results in correctly
   // identifying a host that is on the preload list as no longer sts.
   // (This happens when we're in regular browsing mode, we get a header from
   // a site on the preload list, and that header later expires. We need to
   // then treat that host as no longer an sts host.)
   // (sanity check first - this should be in the preload list)
-  uri = Services.io.newURI("https://login.persona.org");
+  uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1", sslStatus, 0);
   do_timeout(1250, function() {
     ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
     run_next_test();
   });
 }
 
 const IS_PRIVATE = Ci.nsISocketProvider.NO_PERMANENT_STORAGE;
 
 function test_private_browsing1() {
   gSSService.clearAll();
-  let uri = Services.io.newURI("https://bugzilla.mozilla.org");
+  let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
   let subDomainUri =
-    Services.io.newURI("https://a.b.c.subdomain.bugzilla.mozilla.org");
-  // sanity - bugzilla.mozilla.org is preloaded, includeSubdomains set
+    Services.io.newURI("https://a.b.c.subdomain.includesubdomains.preloaded.test");
+  // sanity - includesubdomains.preloaded.test is preloaded, includeSubdomains set
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                             IS_PRIVATE));
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, subDomainUri,
                             IS_PRIVATE));
 
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, IS_PRIVATE);
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
@@ -203,39 +198,39 @@ function test_private_browsing1() {
                              subDomainUri, IS_PRIVATE));
 
   // Test that an expired private browsing entry results in correctly
   // identifying a host that is on the preload list as no longer sts.
   // (This happens when we're in private browsing mode, we get a header from
   // a site on the preload list, and that header later expires. We need to
   // then treat that host as no longer an sts host.)
   // (sanity check first - this should be in the preload list)
-  uri = Services.io.newURI("https://login.persona.org");
+  uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                             IS_PRIVATE));
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1", sslStatus, IS_PRIVATE);
   do_timeout(1250, function() {
     ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                                IS_PRIVATE));
     // Simulate leaving private browsing mode
     Services.obs.notifyObservers(null, "last-pb-context-exited", null);
   });
 }
 
 function test_private_browsing2() {
   // if this test gets this far, it means there's a private browsing service
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://bugzilla.mozilla.org"), 0));
-  // the bugzilla.mozilla.org entry has includeSubdomains set
+       Services.io.newURI("https://includesubdomains.preloaded.test"), 0));
+  // the includesubdomains.preloaded.test entry has includeSubdomains set
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.bugzilla.mozilla.org"), 0));
+       Services.io.newURI("https://subdomain.includesubdomains.preloaded.test"), 0));
 
   // Now that we're out of private browsing mode, we need to make sure
   // we've "forgotten" that we "forgot" this site's sts status.
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://login.persona.org"), 0));
+       Services.io.newURI("https://includesubdomains2.preloaded.test"), 0));
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
@@ -1,16 +1,14 @@
-// This test uses bugzilla.mozilla.org given that it is likely to remain
-// on the preload list for a long time.
 "use strict";
 
 function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
-  let uri = Services.io.newURI("https://bugzilla.mozilla.org");
+  let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
 
   // check that a host on the preload list is identified as an sts host
   ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
 
   // now simulate that it's 19 weeks later than it actually is
   let offsetSeconds = 19 * 7 * 24 * 60 * 60;
   Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
 
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -125,34 +125,30 @@ requesttimeoutfactor = 2
 run-sequentially = hardcoded ports
 [test_signed_apps.js]
 [test_signed_dir.js]
 tags = addons psm
 [test_sss_enumerate.js]
 [test_sss_eviction.js]
 [test_sss_originAttributes.js]
 [test_sss_readstate.js]
-skip-if = true # bug 1350599
 [test_sss_readstate_child.js]
 support-files = sss_readstate_child_worker.js
 # bug 1124289 - run_test_in_child violates the sandbox on android
 skip-if = toolkit == 'android'
 [test_sss_readstate_empty.js]
-skip-if = true # bug 1350599
 [test_sss_readstate_garbage.js]
 [test_sss_readstate_huge.js]
 [test_sss_savestate.js]
 [test_startcom_wosign.js]
 [test_sts_fqdn.js]
 [test_sts_holepunch.js]
 [test_sts_ipv4_ipv6.js]
 [test_sts_parser.js]
 [test_sts_preload_dynamic.js]
 [test_sts_preloadlist_perwindowpb.js]
-skip-if = true # bug 1350599
 [test_sts_preloadlist_selfdestruct.js]
-skip-if = true # bug 1350599
 [test_validity.js]
 run-sequentially = hardcoded ports
 [test_x509.js]
 
 # The TLS error reporting functionality lives in /toolkit but needs tlsserver
 [test_toolkit_securityreporter.js]