Bug 354493 - revert Add nsINetworkZonePolicy to protect resources loaded from private IPs r=backout a=sylvestre
authorPatrick McManus <mcmanus@ducksong.com>
Thu, 24 Jul 2014 22:42:12 -0400
changeset 216135 396bd1c9ad333eeecc1f1383851cb682736a2af9
parent 216134 e7d4238dd07581eb67eadd996f554d549ffe3159
child 216136 088b9010da18690bc02820b6530a96f701474d3b
push id3857
push userraliiev@mozilla.com
push dateTue, 02 Sep 2014 16:39:23 +0000
treeherdermozilla-beta@5638b907b505 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbackout, sylvestre
bugs354493
milestone33.0a2
Bug 354493 - revert Add nsINetworkZonePolicy to protect resources loaded from private IPs r=backout a=sylvestre
modules/libpref/src/init/all.js
netwerk/base/public/moz.build
netwerk/base/public/nsIIOService2.idl
netwerk/base/public/nsILoadGroup.idl
netwerk/base/public/nsINetworkZonePolicy.idl
netwerk/base/public/nsISocketTransport.idl
netwerk/base/public/nsNetUtil.h
netwerk/base/src/moz.build
netwerk/base/src/nsIOService.cpp
netwerk/base/src/nsIOService.h
netwerk/base/src/nsLoadGroup.cpp
netwerk/base/src/nsLoadGroup.h
netwerk/base/src/nsNetworkZonePolicy.cpp
netwerk/base/src/nsNetworkZonePolicy.h
netwerk/base/src/nsSocketTransport2.cpp
netwerk/build/nsNetCID.h
netwerk/build/nsNetModule.cpp
netwerk/cache/nsDiskCache.h
netwerk/dns/DNS.cpp
netwerk/dns/DNS.h
netwerk/dns/nsDNSService2.cpp
netwerk/dns/nsIDNSService.idl
netwerk/protocol/http/HttpBaseChannel.cpp
netwerk/protocol/http/nsAHttpConnection.h
netwerk/protocol/http/nsHttp.h
netwerk/protocol/http/nsHttpChannel.cpp
netwerk/protocol/http/nsHttpChannel.h
netwerk/protocol/http/nsHttpConnection.cpp
netwerk/protocol/http/nsHttpConnection.h
netwerk/protocol/http/nsHttpConnectionMgr.cpp
netwerk/protocol/http/nsHttpHandler.cpp
netwerk/protocol/http/nsHttpHandler.h
netwerk/protocol/http/nsHttpTransaction.cpp
netwerk/test/unit/test_httpResponseTimeout.js
netwerk/test/unit/test_networkZonePolicy.js
netwerk/test/unit/test_speculative_connect.js
netwerk/test/unit/xpcshell.ini
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -1104,19 +1104,16 @@ pref("network.http.connection-retry-time
 // The number of seconds after sending initial SYN for an HTTP connection
 // to give up if the OS does not give up first
 pref("network.http.connection-timeout", 90);
 
 // The maximum number of current global half open sockets allowable
 // when starting a new speculative connection.
 pref("network.http.speculative-parallel-limit", 6);
 
-// Allow/Forbid speculative connections on loopback.
-pref("network.http.speculative.allowLoopback", false);
-
 // Whether or not to block requests for non head js/css items (e.g. media)
 // while those elements load.
 pref("network.http.rendering-critical-requests-prioritization", true);
 
 // Disable IPv6 for backup connections to workaround problems about broken
 // IPv6 connectivity.
 pref("network.http.fast-fallback-to-IPv4", true);
 
@@ -1526,20 +1523,16 @@ pref("network.proxy.autoconfig_url", "")
 // If we cannot load the PAC file, then try again (doubling from interval_min
 // until we reach interval_max or the PAC file is successfully loaded).
 pref("network.proxy.autoconfig_retry_interval_min", 5);    // 5 seconds
 pref("network.proxy.autoconfig_retry_interval_max", 300);  // 5 minutes
 
 // Use the HSTS preload list by default
 pref("network.stricttransportsecurity.preloadlist", true);
 
-// Prohibit resource loads from private networks (e.g. RFC1918 like IP
-// addresses) by documents which were loaded from public networks.
-pref("network.zonepolicy.enabled", true);
-
 pref("converter.html2txt.structs",          true); // Output structured phrases (strong, em, code, sub, sup, b, i, u)
 pref("converter.html2txt.header_strategy",  1); // 0 = no indention; 1 = indention, increased with header level; 2 = numbering and slight indention
 
 pref("intl.accept_languages",               "chrome://global/locale/intl.properties");
 pref("intl.menuitems.alwaysappendaccesskeys","chrome://global/locale/intl.properties");
 pref("intl.menuitems.insertseparatorbeforeaccesskeys","chrome://global/locale/intl.properties");
 pref("intl.charset.detector",               "chrome://global/locale/intl.properties");
 pref("intl.charset.fallback.override",      "");
--- a/netwerk/base/public/moz.build
+++ b/netwerk/base/public/moz.build
@@ -56,17 +56,16 @@ XPIDL_SOURCES += [
     'nsIMultiPartChannel.idl',
     'nsINestedURI.idl',
     'nsINetAddr.idl',
     'nsINetUtil.idl',
     'nsINetworkLinkService.idl',
     'nsINetworkPredictor.idl',
     'nsINetworkPredictorVerifier.idl',
     'nsINetworkProperties.idl',
-    'nsINetworkZonePolicy.idl',
     'nsINSSErrorsService.idl',
     'nsIParentChannel.idl',
     'nsIParentRedirectingChannel.idl',
     'nsIPermission.idl',
     'nsIPermissionManager.idl',
     'nsIPrivateBrowsingChannel.idl',
     'nsIProgressEventSink.idl',
     'nsIPrompt.idl',
--- a/netwerk/base/public/nsIIOService2.idl
+++ b/netwerk/base/public/nsIIOService2.idl
@@ -5,17 +5,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsIIOService.idl"
 
 /**
  * nsIIOService2 extends nsIIOService
  */
-[scriptable, uuid(b2344926-d194-41d5-b749-e6591a257428)]
+[scriptable, uuid(9a7dc724-0b5c-4b78-9722-1037074c02de)]
 interface nsIIOService2 : nsIIOService
 {
   /**
    * While this is set, IOService will monitor an nsINetworkLinkService
    * (if available) and set its offline status to "true" whenever
    * isLinkUp is false.
    *
    * Applications that want to control changes to the IOService's offline
@@ -35,15 +35,9 @@ interface nsIIOService2 : nsIIOService
    *        case aURI is used
    * @param aProxyFlags flags from nsIProtocolProxyService to use
    *        when resolving proxies for this new channel
    * @return reference to the new nsIChannel object
    */
   nsIChannel newChannelFromURIWithProxyFlags(in nsIURI aURI,
                                              in nsIURI aProxyURI,
                                              in unsigned long aProxyFlags);
-
-  /**
-   * Returns a string ID for the current network. This ID should be
-   * refreshed when the network link changes.
-   */
-  readonly attribute ACString networkLinkID;
 };
--- a/netwerk/base/public/nsILoadGroup.idl
+++ b/netwerk/base/public/nsILoadGroup.idl
@@ -10,17 +10,17 @@ interface nsIRequestObserver;
 interface nsIInterfaceRequestor;
 interface nsILoadGroupConnectionInfo;
 
 typedef unsigned long nsLoadFlags;
 
 /**
  * A load group maintains a collection of nsIRequest objects. 
  */
-[scriptable, uuid(8531ccd9-f12f-4674-ae07-05b625cebf8b)]
+[scriptable, uuid(afb57ac2-bce5-4ee3-bb34-385089a9ba5c)]
 interface nsILoadGroup : nsIRequest
 {
     /**
      * The group observer is notified when requests are added to and removed
      * from this load group.  The groupObserver is weak referenced.
      */
     attribute nsIRequestObserver groupObserver;
 
@@ -88,22 +88,16 @@ interface nsILoadGroup : nsIRequest
      * to the group - typically via nsIDocShell::defaultLoadFlags on a new
      * docShell.
      * Note that these flags are *not* added to the default request for the
      * load group; it is expected the default request will already have these
      * flags (again, courtesy of setting nsIDocShell::defaultLoadFlags before
      * the docShell has created the default request.)
      */
     attribute nsLoadFlags defaultLoadFlags;
-
-    /**
-     * Allow/Deny this loadgroup to load resources from private, RFC1918-like
-     * addresses. See nsINetworkZonePolicy for more information.
-     */
-    attribute bool allowLoadsFromPrivateNetworks;
 };
 
 %{C++
 // Forward-declare mozilla::net::SpdyPushCache
 namespace mozilla {
 namespace net {
 class SpdyPushCache;
 }
deleted file mode 100644
--- a/netwerk/base/public/nsINetworkZonePolicy.idl
+++ /dev/null
@@ -1,53 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-interface nsIRequest;
-
-/**
- * NetworkZonePolicy is used to permit or deny nsIRequests loading from private
- * IP addresses. Private in this case means RFC1918-like addresses and
- * localhost. Primarily, this is to protect resources held on private
- * networks from being loaded by documents which were loaded from the public
- * internet.
- */
-
-[scriptable, uuid(639a0797-7870-4a37-9110-57ea9f14783f)]
-interface nsINetworkZonePolicy : nsISupports
-{
-  /**
-   * Returns true if aRequest can connect to private, RFC1918-like addresses.
-   * Implementing classes should query the loadgroup of the request, along with
-   * the loadgroup's owning/parent hierarchy, to determine if permission is
-   * granted. This should result in requests generated by a public document
-   * being restricted to public loads only.
-   *
-   * @param aRequest  The nsIRequest which is trying to load from a private IP
-   *                  address.
-   * @returns         True if aRequest has permission to load from a private IP
-   *                  address; false if it does not.
-   */
-  bool checkPrivateNetworkPermission(in nsIRequest aRequest);
-
-  /**
-   * Tries to set permission in the loadgroup of aRequest with respect to
-   * loading from private IP addresses. Permission will only be set if the
-   * loadgroup's ancestors (parent-, owning- and docshell parent loadgroups) all
-   * allow private network loads. If permission cannot be set, the function
-   * returns silently.
-   * Note: only documents should be allowed to set permission for other
-   * resource loads in the loadgroup, so aRequest should represent a document
-   * load. Non document loads will be ignored and the function will return
-   * silently.
-   *
-   * @param aRequest  The request which is trying to set private load
-   *                  permission for its loadgroup.
-   * @param aAllowed  True if permission is to be granted; false if not.
-   */
-  void setPrivateNetworkPermission(in nsIRequest aRequest,
-                                   in bool aAllowed);
-};
--- a/netwerk/base/public/nsISocketTransport.idl
+++ b/netwerk/base/public/nsISocketTransport.idl
@@ -178,22 +178,16 @@ interface nsISocketTransport : nsITransp
 
     /**
      * If set, indicates that the socket should not connect if the hostname
      * resolves to an RFC1918 address or IPv6 equivalent.
      */
     const unsigned long DISABLE_RFC1918 = (1 << 5);
 
     /**
-     * If set, indicates that the socket should not connect if the hostname
-     * resolves to a loopback address.
-     */
-    const unsigned long DISABLE_LOOPBACK = (1 << 6);
-
-    /**
      * Socket QoS/ToS markings. Valid values are IPTOS_DSCP_AFxx or
      * IPTOS_CLASS_CSx (or IPTOS_DSCP_EF, but currently no supported
      * services require expedited-forwarding).
      * Not setting this value will leave the socket with the default
      * ToS value, which on most systems if IPTOS_CLASS_CS0 (formerly
      * IPTOS_PREC_ROUTINE).
      */
     attribute octet QoSBits;
--- a/netwerk/base/public/nsNetUtil.h
+++ b/netwerk/base/public/nsNetUtil.h
@@ -2394,31 +2394,9 @@ NS_IsSrcdocChannel(nsIChannel *aChannel)
   nsCOMPtr<nsIViewSourceChannel> vsc = do_QueryInterface(aChannel);
   if (vsc) {
     vsc->GetIsSrcdocChannel(&isSrcdoc);
     return isSrcdoc;
   }
   return false;
 }
 
-/**
- *  Provides 32 bits of PRNG; workaround for platform variances of RAND_MAX.
- */
-inline uint32_t
-NS_Get32BitsOfPseudoRandom()
-{
-    // rand() provides different amounts of PRNG on different platforms.
-    // 15 or 31 bits are common amounts.
-
-    PR_STATIC_ASSERT(RAND_MAX >= 0xfff);
-
-#if RAND_MAX < 0xffffU
-    return ((uint16_t) rand() << 20) |
-            (((uint16_t) rand() & 0xfff) << 8) |
-            ((uint16_t) rand() & 0xff);
-#elif RAND_MAX < 0xffffffffU
-    return ((uint16_t) rand() << 16) | ((uint16_t) rand() & 0xffff);
-#else
-    return (uint32_t) rand();
-#endif
-}
-
 #endif // !nsNetUtil_h__
--- a/netwerk/base/src/moz.build
+++ b/netwerk/base/src/moz.build
@@ -42,17 +42,16 @@ UNIFIED_SOURCES += [
     'nsInputStreamChannel.cpp',
     'nsInputStreamPump.cpp',
     'nsIOService.cpp',
     'nsLoadGroup.cpp',
     'nsMediaFragmentURIParser.cpp',
     'nsMIMEInputStream.cpp',
     'nsNetAddr.cpp',
     'nsNetStrings.cpp',
-    'nsNetworkZonePolicy.cpp',
     'nsPACMan.cpp',
     'nsPreloadedStream.cpp',
     'nsProtocolProxyService.cpp',
     'nsProxyInfo.cpp',
     'nsRequestObserverProxy.cpp',
     'nsSerializationHelper.cpp',
     'nsServerSocket.cpp',
     'nsSimpleNestedURI.cpp',
--- a/netwerk/base/src/nsIOService.cpp
+++ b/netwerk/base/src/nsIOService.cpp
@@ -144,25 +144,16 @@ nsIOService::nsIOService()
     , mManageOfflineStatus(false)
     , mSettingOffline(false)
     , mSetOfflineValue(false)
     , mShutdown(false)
     , mNetworkLinkServiceInitialized(false)
     , mChannelEventSinks(NS_CHANNEL_EVENT_SINK_CATEGORY)
     , mAutoDialEnabled(false)
 {
-    // XXX May need to remove this once Bug 939319 and associated bugs for
-    // NS_NETWORK_LINK_DATA_CHANGED are complete on all supported platforms.
-
-    // Subfields of unions cannot be targeted in an initializer list
-    mNetworkLinkSelfAddr.raw.family = PR_AF_UNSPEC;
-
-    // Right now, the network link ID is just 64bits of pseudo-randonmess.
-    mNetworkLinkID = NS_Get32BitsOfPseudoRandom();
-    mNetworkLinkID = (mNetworkLinkID << 32) | NS_Get32BitsOfPseudoRandom();
 }
 
 nsresult
 nsIOService::Init()
 {
     nsresult rv;
 
     // We need to get references to the DNS service so that we can shut it
@@ -1088,48 +1079,16 @@ nsIOService::SetManageOfflineStatus(bool
 }
 
 NS_IMETHODIMP
 nsIOService::GetManageOfflineStatus(bool* aManage) {
     *aManage = mManageOfflineStatus;
     return NS_OK;
 }
 
-uint64_t
-nsIOService::GetNetworkLinkID() const
-{
-    return mNetworkLinkID;
-}
-
-NS_IMETHODIMP
-nsIOService::GetNetworkLinkID(nsACString &aNetworkLinkID)
-{
-    char temp[21];
-    PR_snprintf(temp, sizeof(temp), "%llu", mNetworkLinkID);
-    aNetworkLinkID.Append(temp);
-
-    return NS_OK;
-}
-
-// XXX Remove this once Bug 939319 and associated bugs for
-// NS_NETWORK_LINK_DATA_CHANGED are complete on all supported platforms.
-// Right now, the network link ID is just 64bits of pseudo-randonmess.
-void
-nsIOService::UpdateNetworkLinkID(const mozilla::net::NetAddr aCurrentSelfAddr)
-{
-    if (IsLoopBackAddress(&aCurrentSelfAddr) ||
-        mNetworkLinkSelfAddr.EqualsIP(aCurrentSelfAddr)) {
-        return;
-    }
-    mNetworkLinkSelfAddr = aCurrentSelfAddr;
-
-    mNetworkLinkID = NS_Get32BitsOfPseudoRandom();
-    mNetworkLinkID = (mNetworkLinkID << 32) | NS_Get32BitsOfPseudoRandom();
-}
-
 nsresult
 nsIOService::TrackNetworkLinkStatusForOffline()
 {
     NS_ASSERTION(mManageOfflineStatus,
                  "Don't call this unless we're managing the offline status");
     if (!mNetworkLinkService)
         return NS_ERROR_FAILURE;
 
--- a/netwerk/base/src/nsIOService.h
+++ b/netwerk/base/src/nsIOService.h
@@ -13,17 +13,16 @@
 #include "nsWeakPtr.h"
 #include "nsIObserver.h"
 #include "nsWeakReference.h"
 #include "nsINetUtil.h"
 #include "nsIChannelEventSink.h"
 #include "nsCategoryCache.h"
 #include "nsISpeculativeConnect.h"
 #include "mozilla/Attributes.h"
-#include "mozilla/net/DNS.h"
 
 #define NS_N(x) (sizeof(x)/sizeof(*x))
 
 // We don't want to expose this observer topic.
 // Intended internal use only for remoting offline/inline events.
 // See Bug 552829
 #define NS_IPC_IOSERVICE_SET_OFFLINE_TOPIC "ipc:network:set-offline"
 
@@ -70,25 +69,16 @@ public:
 
     bool IsOffline() { return mOffline; }
     bool IsLinkUp();
 
     bool IsComingOnline() const {
       return mOffline && mSettingOffline && !mSetOfflineValue;
     }
 
-    // Returns the NetworkLinkID.
-    uint64_t GetNetworkLinkID() const;
-
-    // XXX Remove this once Bug 939319 and associated bugs for
-    // NS_NETWORK_LINK_DATA_CHANGED are complete on all supported
-    // platforms.
-    // Primes the network link ID with the current self address of this host.
-    void UpdateNetworkLinkID(const mozilla::net::NetAddr aCurrentSelfAddr);
-
 private:
     // These shouldn't be called directly:
     // - construct using GetInstance
     // - destroy using Release
     nsIOService();
     ~nsIOService();
 
     nsresult TrackNetworkLinkStatusForOffline();
@@ -138,26 +128,16 @@ private:
 
     nsTArray<int32_t>                    mRestrictedPortList;
 
     bool                                 mAutoDialEnabled;
 public:
     // Used for all default buffer sizes that necko allocates.
     static uint32_t   gDefaultSegmentSize;
     static uint32_t   gDefaultSegmentCount;
-
-private:
-    // XXX Maybe remove these once Bug 939319 and associated bugs for
-    // NS_NETWORK_LINK_DATA_CHANGED are complete on all supported platforms.
-    // Right now, the network link ID is just 64bits of pseudo-randonmess.
-    //
-    // ID of the current network link.
-    uint64_t                             mNetworkLinkID;
-    // IP address of this host for the current network link.
-    mozilla::net::NetAddr                mNetworkLinkSelfAddr;
 };
 
 /**
  * Reference to the IO service singleton. May be null.
  */
 extern nsIOService* gIOService;
 
 #endif // nsIOService_h__
--- a/netwerk/base/src/nsLoadGroup.cpp
+++ b/netwerk/base/src/nsLoadGroup.cpp
@@ -113,17 +113,16 @@ RescheduleRequests(PLDHashTable *table, 
 
 nsLoadGroup::nsLoadGroup(nsISupports* outer)
     : mForegroundCount(0)
     , mLoadFlags(LOAD_NORMAL)
     , mDefaultLoadFlags(0)
     , mStatus(NS_OK)
     , mPriority(PRIORITY_NORMAL)
     , mIsCanceling(false)
-    , mAllowLoadsFromPrivateNetworks(true)
     , mDefaultLoadIsTimed(false)
     , mTimedRequests(0)
     , mCachedRequests(0)
     , mTimedNonCachedRequestsUntilOnEndPageLoad(0)
 {
     NS_INIT_AGGREGATED(outer);
 
 #if defined(PR_LOGGING)
@@ -1090,30 +1089,16 @@ nsresult nsLoadGroup::MergeLoadFlags(nsI
 
     if (flags != oldFlags)
         rv = aRequest->SetLoadFlags(flags);
 
     outFlags = flags;
     return rv;
 }
 
-NS_IMETHODIMP
-nsLoadGroup::GetAllowLoadsFromPrivateNetworks(bool *aAllowed)
-{
-    *aAllowed = mAllowLoadsFromPrivateNetworks;
-    return NS_OK;
-}
-
-NS_IMETHODIMP
-nsLoadGroup::SetAllowLoadsFromPrivateNetworks(bool aAllowed)
-{
-    mAllowLoadsFromPrivateNetworks = aAllowed;
-    return NS_OK;
-}
-
 // nsLoadGroupConnectionInfo
 
 class nsLoadGroupConnectionInfo MOZ_FINAL : public nsILoadGroupConnectionInfo
 {
     ~nsLoadGroupConnectionInfo() {}
 
 public:
     NS_DECL_THREADSAFE_ISUPPORTS
--- a/netwerk/base/src/nsLoadGroup.h
+++ b/netwerk/base/src/nsLoadGroup.h
@@ -77,19 +77,16 @@ protected:
 
     nsWeakPtr                       mObserver;
     nsWeakPtr                       mParentLoadGroup;
     
     nsresult                        mStatus;
     int32_t                         mPriority;
     bool                            mIsCanceling;
 
-    // Set if this loadgroup allows loads from private networks (RFC1918 etc).
-    bool                            mAllowLoadsFromPrivateNetworks;
-
     /* Telemetry */
     mozilla::TimeStamp              mDefaultRequestCreationTime;
     bool                            mDefaultLoadIsTimed;
     uint32_t                        mTimedRequests;
     uint32_t                        mCachedRequests;
 
     /* For nsPILoadGroupInternal */
     uint32_t                        mTimedNonCachedRequestsUntilOnEndPageLoad;
deleted file mode 100644
--- a/netwerk/base/src/nsNetworkZonePolicy.cpp
+++ /dev/null
@@ -1,361 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "prlog.h"
-#include "nsAutoPtr.h"
-#include "nsNetworkZonePolicy.h"
-#include "nsIChannel.h"
-#include "nsIDocShell.h"
-#include "nsIDocumentLoader.h"
-#include "nsILoadGroup.h"
-#include "nsILoadGroupChild.h"
-#include "nsIObserverService.h"
-#include "nsIRequestObserver.h"
-#include "mozilla/Preferences.h"
-#include "mozilla/Services.h"
-#ifdef PR_LOGGING
-#include "nsString.h"
-#endif
-
-namespace mozilla
-{
-namespace net
-{
-
-#ifdef PR_LOGGING
-static PRLogModuleInfo *gNZPLog;
-#define NZPLOG(msg, ...) \
-  PR_LOG(gNZPLog, PR_LOG_DEBUG, ("[NZP] %p: " msg, this, ##__VA_ARGS__))
-#else
-#define NZPLOG(msg, ...)
-#endif
-
-/* Keeps track of whether or not NZP is enabled */
-bool nsNetworkZonePolicy::sNZPEnabled = true;
-
-/* True if shutdown notification has been received. */
-bool nsNetworkZonePolicy::sShutdown = false;
-
-/* Singleton pointer. */
-StaticRefPtr<nsNetworkZonePolicy> nsNetworkZonePolicy::sSingleton;
-
-nsNetworkZonePolicy::nsNetworkZonePolicy()
-{
-  Preferences::AddBoolVarCache(&sNZPEnabled, "network.zonepolicy.enabled");
-
-  // Register for shutdown notification.
-  nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
-  if (obs) {
-    obs->AddObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false);
-  } else {
-    NS_WARNING("failed to get observer service");
-  }
-
-#ifdef PR_LOGGING
-  if (!gNZPLog) {
-    gNZPLog = PR_NewLogModule("NZP");
-  }
-#endif
-}
-
-already_AddRefed<nsNetworkZonePolicy>
-nsNetworkZonePolicy::GetSingleton()
-{
-  if (sShutdown) {
-    return nullptr;
-  }
-
-  if (!sSingleton) {
-    sSingleton = new nsNetworkZonePolicy();
-  }
-
-  // Return a ref ptr to the singleton.
-  nsRefPtr<nsNetworkZonePolicy> nzp = sSingleton.get();
-  return nzp.forget();
-}
-
-nsNetworkZonePolicy::~nsNetworkZonePolicy() {}
-
-NS_IMPL_ISUPPORTS(nsNetworkZonePolicy,
-                  nsINetworkZonePolicy,
-                  nsIObserver)
-
-// nsIObserver interface
-NS_IMETHODIMP
-nsNetworkZonePolicy::Observe(nsISupports *aSubject,
-                             const char *aTopic,
-                             const char16_t *aData)
-{
-  if (strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
-    sShutdown = true;
-    sSingleton = nullptr;
-  }
-  return NS_OK;
-}
-
-already_AddRefed<nsILoadGroup>
-nsNetworkZonePolicy::GetLoadGroupParent(nsILoadGroup *aLoadGroup)
-{
-  if (NS_WARN_IF(!aLoadGroup)) {
-    return nullptr;
-  }
-  MOZ_ASSERT(aLoadGroup);
-
-  DebugOnly<nsresult> rv = NS_OK;
-  nsCOMPtr<nsILoadGroup> parent;
-  nsCOMPtr<nsILoadGroupChild> loadGroupAsChild = do_QueryInterface(aLoadGroup);
-  if (!loadGroupAsChild) {
-    return nullptr;
-  }
-  rv = loadGroupAsChild->GetParentLoadGroup(getter_AddRefs(parent));
-  if (!parent) {
-    return nullptr;
-  }
-  NZPLOG("loadgroup %p getting parent loadgroup %p", aLoadGroup,
-         parent.get());
-  return parent.forget();
-}
-
-already_AddRefed<nsILoadGroup>
-nsNetworkZonePolicy::GetOwningLoadGroup(nsILoadGroup *aLoadGroup)
-{
-  if (NS_WARN_IF(!aLoadGroup)) {
-    return nullptr;
-  }
-  MOZ_ASSERT(aLoadGroup);
-
-  DebugOnly<nsresult> rv = NS_OK;
-  nsCOMPtr<nsILoadGroup> owner;
-  rv = aLoadGroup->GetLoadGroup(getter_AddRefs(owner));
-  if (!owner) {
-    return nullptr;
-  }
-  NZPLOG("loadgroup %p getting owning loadgroup %p", aLoadGroup, owner.get());
-  return owner.forget();
-}
-
-already_AddRefed<nsILoadGroup>
-nsNetworkZonePolicy::GetParentDocShellsLoadGroup(nsILoadGroup *aLoadGroup)
-{
-  if (NS_WARN_IF(!aLoadGroup)) {
-    return nullptr;
-  }
-  MOZ_ASSERT(aLoadGroup);
-
-  DebugOnly<nsresult> rv = NS_OK;
-  nsCOMPtr<nsIRequestObserver> observer;
-  rv = aLoadGroup->GetGroupObserver(getter_AddRefs(observer));
-  if (!observer) {
-    return nullptr;
-  }
-  nsCOMPtr<nsIDocShell> docShell = do_QueryInterface(observer);
-  if (!docShell) {
-    return nullptr;
-  }
-  nsCOMPtr<nsIDocShellTreeItem> parentAsTreeItem;
-  docShell->GetSameTypeParent(getter_AddRefs(parentAsTreeItem));
-  if (!parentAsTreeItem) {
-    return nullptr;
-  }
-  nsCOMPtr<nsIDocumentLoader> parentAsDocLoader =
-    do_QueryInterface(parentAsTreeItem);
-  if (!parentAsDocLoader) {
-    return nullptr;
-  }
-  nsCOMPtr<nsILoadGroup> dsParent;
-  rv = parentAsDocLoader->GetLoadGroup(getter_AddRefs(dsParent));
-  if (!dsParent) {
-    return nullptr;
-  }
-  NZPLOG("loadgroup %p getting docshell parent's loadgroup %p",
-         aLoadGroup, dsParent.get());
-  return dsParent.forget();
-}
-
-bool
-nsNetworkZonePolicy::CheckLoadGroupAncestorHierarchies(nsILoadGroup *aLoadGroup)
-{
-  if (NS_WARN_IF(!aLoadGroup)) {
-    return false;
-  }
-  MOZ_ASSERT(aLoadGroup);
-
-  // Check the hierarchies of appropriate ancestors.
-  // 1. Parent loadgroup.
-  nsCOMPtr<nsILoadGroup> ancestor = GetLoadGroupParent(aLoadGroup);
-  if (ancestor) {
-    bool ancestorAllows = CheckLoadGroupHierarchy(ancestor);
-
-    NZPLOG("Loadgroup %p's parent loadgroup hierarchy %s private loads.",
-           aLoadGroup, ancestorAllows ? "allows" : "forbids");
-    if (!ancestorAllows) {
-      return false;
-    }
-  }
-
-  // 2. Owning loadgroup.
-  ancestor = GetOwningLoadGroup(aLoadGroup);
-  if (ancestor) {
-    bool ancestorAllows = CheckLoadGroupHierarchy(ancestor);
-
-    NZPLOG("Loadgroup %p's owning loadgroup hierarchy %s private loads.",
-           aLoadGroup, ancestorAllows ? "allows" : "forbids");
-    if (!ancestorAllows) {
-      return false;
-    }
-  }
-
-  // 3. Parent docshell's loadgroup.
-  ancestor = GetParentDocShellsLoadGroup(aLoadGroup);
-  if (ancestor) {
-    bool ancestorAllows = CheckLoadGroupHierarchy(ancestor);
-
-    NZPLOG("Loadgroup %p's parent docshell's loadgroup hierarchy %s private "
-           "loads.",
-           aLoadGroup, ancestorAllows ? "allows" : "forbids");
-    if (!ancestorAllows) {
-      return false;
-    }
-  }
-
-  // If there is no ancestor or they all have permission to load from private
-  // networks, return true.
-  NZPLOG("Loadgroup %p: no ancestor forbids loads from private networks.",
-         aLoadGroup);
-  return true;
-}
-
-bool
-nsNetworkZonePolicy::CheckLoadGroupHierarchy(nsILoadGroup *aLoadGroup)
-{
-  if (NS_WARN_IF(!aLoadGroup)) {
-    return false;
-  }
-  MOZ_ASSERT(aLoadGroup);
-
-  // Recurse until root load group of same type, or until ancestor forbids
-  // private loads.
-
-  // If current loadgroup does not allow private loads, just return.
-  bool allowed = false;
-  aLoadGroup->GetAllowLoadsFromPrivateNetworks(&allowed);
-  if (!allowed) {
-    NZPLOG("Loadgroup %p forbids loads from private networks.", aLoadGroup);
-    return false;
-  }
-
-  // Else, check the hierarchies of appropriate ancestors.
-  return CheckLoadGroupAncestorHierarchies(aLoadGroup);
-}
-
-/*
- * nsNetworkZonePolicy : nsINetworkZonePolicy
- */
-NS_IMETHODIMP
-nsNetworkZonePolicy::CheckPrivateNetworkPermission(nsIRequest *aRequest,
-                                                   bool *aAllowed)
-{
-  if (NS_WARN_IF(!aRequest)) {
-    return NS_ERROR_NULL_POINTER;
-  }
-  if (NS_WARN_IF(!aAllowed)) {
-    return NS_ERROR_NULL_POINTER;
-  }
-
-  if (NS_WARN_IF(!aRequest || !aAllowed)) {
-    return NS_ERROR_NULL_POINTER;
-  }
-
-  if (!sNZPEnabled) {
-    *aAllowed = true;
-    return NS_OK;
-  }
-
-#ifdef PR_LOGGING
-  nsAutoCString nameStr;
-  aRequest->GetName(nameStr);
-#endif
-  NZPLOG("CheckPrivateNetworkPermission for request %p [%s].", aRequest,
-         nameStr.get());
-
-  nsCOMPtr<nsILoadGroup> loadGroup;
-  nsresult rv = aRequest->GetLoadGroup(getter_AddRefs(loadGroup));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-  if (!loadGroup) {
-    NZPLOG("No loadgroup for request %p [%s]; private networks allowed.",
-           aRequest, nameStr.get());
-    *aAllowed = true;
-    return NS_OK;
-  }
-
-  // Find out if this loadgroup's hierarchy allows private loads.
-  bool hierarchyAllows = CheckLoadGroupHierarchy(loadGroup);
-
-  NZPLOG("LoadGroup %p for request %p [%s] is %s private loads.",
-         loadGroup.get(), aRequest, nameStr.get(),
-         hierarchyAllows ? "allowed" : "forbidden");
-
-  *aAllowed = hierarchyAllows;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsNetworkZonePolicy::SetPrivateNetworkPermission(nsIRequest *aRequest,
-                                                 bool aAllowed)
-{
-  if (NS_WARN_IF(!aRequest)) {
-    return NS_ERROR_NULL_POINTER;
-  }
-
-  if (!sNZPEnabled) {
-    return NS_OK;
-  }
-
-  nsCOMPtr<nsILoadGroup> loadGroup;
-  nsresult rv = aRequest->GetLoadGroup(getter_AddRefs(loadGroup));
-  if (!loadGroup || NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
-#ifdef PR_LOGGING
-  nsAutoCString nameStr;
-  aRequest->GetName(nameStr);
-#endif
-  NZPLOG("SetPrivateNetworkPermission: try to %s for loadgroup %p of request "
-         "%p [%s].",
-         aAllowed ? "allow" : "forbid", loadGroup.get(), aRequest,
-         nameStr.get());
-
-  // Only allow a document request to set its loadgroup's permissions.
-  nsLoadFlags flags;
-  aRequest->GetLoadFlags(&flags);
-
-  if (!(flags & nsIChannel::LOAD_DOCUMENT_URI)) {
-    NZPLOG("Skipping request %p [%s] - not a document load", aRequest,
-           nameStr.get());
-    return NS_OK;
-  }
-
-  // Do NOT allow a document load to override the loadgroup's hierarchy.
-  bool ancestorsAllow = CheckLoadGroupAncestorHierarchies(loadGroup);
-
-  NZPLOG("LoadGroup %p ancestors for request %p [%s] %s private loads.",
-         loadGroup.get(), aRequest, nameStr.get(),
-         ancestorsAllow ? "allows" : "forbids");
-
-  if (!ancestorsAllow) {
-    NZPLOG("Request %p [%s] can't override hierarchy.", aRequest,
-           nameStr.get());
-    return NS_OK;
-  }
-
-  return loadGroup->SetAllowLoadsFromPrivateNetworks(aAllowed);
-}
-
-} // namespace net
-} // namespace mozilla
deleted file mode 100644
--- a/netwerk/base/src/nsNetworkZonePolicy.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef __nznetworkzonepolicy_h__
-#define __nznetworkzonepolicy_h__
-
-#include "nsCOMPtr.h"
-#include "mozilla/StaticPtr.h"
-#include "nsINetworkZonePolicy.h"
-#include "nsIObserver.h"
-
-class nsILoadGroup;
-
-namespace mozilla
-{
-namespace net
-{
-
-/**
- * class nsNetworkZonePolicy
- *
- * Implements nsINetworkZonePolicy: used by nsIRequest objects to check if
- * they have permission to load from private, RFC1918-like IP addresses.
- * See nsINetworkZonePolicy for more info.
- */
-class nsNetworkZonePolicy : public nsINetworkZonePolicy
-                          , public nsIObserver
-{
-public:
-  NS_DECL_THREADSAFE_ISUPPORTS
-  NS_DECL_NSINETWORKZONEPOLICY
-  NS_DECL_NSIOBSERVER
-
-  static already_AddRefed<nsNetworkZonePolicy> GetSingleton();
-
-private:
-  nsNetworkZonePolicy();
-  virtual ~nsNetworkZonePolicy();
-
-  // Returns the parent loadgroup of aLoadGroup, or nullptr if none exists.
-  already_AddRefed<nsILoadGroup> GetLoadGroupParent(nsILoadGroup *aLoadGroup);
-
-  // Returns the owning loadgroup of aLoadGroup, or nullptr if none exists.
-  already_AddRefed<nsILoadGroup> GetOwningLoadGroup(nsILoadGroup *aLoadGroup);
-
-  // Returns the loadgroup of the parent docshell of aLoadGroup's docshell, or
-  // nullptr if none exists.
-  already_AddRefed<nsILoadGroup>
-    GetParentDocShellsLoadGroup(nsILoadGroup *aLoadGroup);
-
-  // Checks aLoadGroup and its ancestors (parent-, owning- and docshell
-  // parent's loadgroups) to check for permission to load from private IP
-  // addresses. The function follows the ancestor hierarchy to the root
-  // loadgroup, or until a loadgroup is forbidden to load from private
-  // networks. In this way, the loadgroup and all of its ancestor loadgroups
-  // must have permission for this function to return true.
-  bool CheckLoadGroupHierarchy(nsILoadGroup *aLoadGroup);
-
-  // Similar to CheckLoadGroupHierarchy, except this function checks the
-  // ancestor hierarchy only for permission to load from private networks;
-  // aLoadGroup is not checked.
-  bool CheckLoadGroupAncestorHierarchies(nsILoadGroup *aLoadGroup);
-
-  // Keeps track of whether or not NZP is enabled.
-  static bool sNZPEnabled;
-
-  // True if shutdown notification has been received.
-  static bool sShutdown;
-
-  // Singleton pointer.
-  static StaticRefPtr<nsNetworkZonePolicy> sSingleton;
-};
-
-} // namespace net
-} // namespace mozilla
-
-#endif /* __nznetworkzonepolicy_h__ */
--- a/netwerk/base/src/nsSocketTransport2.cpp
+++ b/netwerk/base/src/nsSocketTransport2.cpp
@@ -1025,20 +1025,16 @@ nsSocketTransport::ResolveHost()
 
     uint32_t dnsFlags = 0;
     if (mConnectionFlags & nsSocketTransport::BYPASS_CACHE)
         dnsFlags = nsIDNSService::RESOLVE_BYPASS_CACHE;
     if (mConnectionFlags & nsSocketTransport::DISABLE_IPV6)
         dnsFlags |= nsIDNSService::RESOLVE_DISABLE_IPV6;
     if (mConnectionFlags & nsSocketTransport::DISABLE_IPV4)
         dnsFlags |= nsIDNSService::RESOLVE_DISABLE_IPV4;
-    if (mConnectionFlags & nsSocketTransport::DISABLE_RFC1918)
-        dnsFlags |= nsIDNSService::RESOLVE_DISABLE_RFC1918;
-    if (mConnectionFlags & nsSocketTransport::DISABLE_LOOPBACK)
-        dnsFlags |= nsIDNSService::RESOLVE_DISABLE_LOOPBACK;
 
     NS_ASSERTION(!(dnsFlags & nsIDNSService::RESOLVE_DISABLE_IPV6) ||
                  !(dnsFlags & nsIDNSService::RESOLVE_DISABLE_IPV4),
                  "Setting both RESOLVE_DISABLE_IPV6 and RESOLVE_DISABLE_IPV4");
 
     SendStatus(NS_NET_STATUS_RESOLVING_HOST);
     rv = dns->AsyncResolve(SocketHost(), dnsFlags, this, nullptr,
                            getter_AddRefs(mDNSRequest));
@@ -1198,40 +1194,35 @@ nsSocketTransport::InitiateSocket()
                            "available via the test networking proxy (if running mochitests) "
                            "or from a test-specific httpd.js server (if running xpcshell tests)."
                            " Browser services should be disabled or redirected to a local server.\n",
                            mHost.get(), ipaddr.get());
             MOZ_CRASH("Attempting to connect to non-local address!");
         }
     }
 
-    // Ensure that we're not using a private IP if such addresses are disabled.
-    bool disableRFC1918 = mConnectionFlags & nsISocketTransport::DISABLE_RFC1918;
-    bool disableLoopback = mConnectionFlags & nsISocketTransport::DISABLE_LOOPBACK;
-
-    if ((disableRFC1918 && IsIPAddrLocal(&mNetAddr)) ||
-        (disableLoopback && IsLoopBackAddress(&mNetAddr))) {
+    // Hosts/Proxy Hosts that are Local IP Literals should not be speculatively
+    // connected - Bug 853423.
+    if (mConnectionFlags & nsISocketTransport::DISABLE_RFC1918 &&
+        IsIPAddrLocal(&mNetAddr)) {
 #ifdef PR_LOGGING
         if (SOCKET_LOG_ENABLED()) {
             nsAutoCString netAddrCString;
             netAddrCString.SetCapacity(kIPv6CStrBufSize);
             if (!NetAddrToString(&mNetAddr,
                                  netAddrCString.BeginWriting(),
                                  kIPv6CStrBufSize))
                 netAddrCString = NS_LITERAL_CSTRING("<IP-to-string failed>");
-            SOCKET_LOG(("nsSocketTransport::InitiateSocket refusing to "
-                        "connect to %s host [%s:%d] proxy [%s:%d] with IP "
-                        "address [%s]",
-                        IsIPAddrLocal(&mNetAddr) ? "private" : "loopback",
+            SOCKET_LOG(("nsSocketTransport::InitiateSocket skipping "
+                        "speculative connection for host [%s:%d] proxy "
+                        "[%s:%d] with Local IP address [%s]",
                         mHost.get(), mPort, mProxyHost.get(), mProxyPort,
                         netAddrCString.get()));
         }
 #endif
-        MOZ_ASSERT(false,
-                   "Local or Loopback IP addresses disabled for this socket!");
         return NS_ERROR_CONNECTION_REFUSED;
     }
 
     //
     // find out if it is going to be ok to attach another socket to the STS.
     // if not then we have to wait for the STS to tell us that it is ok.
     // the notification is asynchronous, which means that when we could be
     // in a race to call AttachSocket once notified.  for this reason, when
@@ -1703,25 +1694,18 @@ nsSocketTransport::OnSocketEvent(uint32_
 
     case MSG_DNS_LOOKUP_COMPLETE:
         if (mDNSRequest)  // only send this if we actually resolved anything
             SendStatus(NS_NET_STATUS_RESOLVED_HOST);
 
         SOCKET_LOG(("  MSG_DNS_LOOKUP_COMPLETE\n"));
         mDNSRequest = 0;
         if (param) {
-            MOZ_ASSERT(NS_SUCCEEDED(status),
-                       "Shouldn't have DNS record if request failed.");
             mDNSRecord = static_cast<nsIDNSRecord *>(param);
-            nsresult rv = mDNSRecord->GetNextAddr(SocketPort(), &mNetAddr);
-            if (NS_FAILED(rv)) {
-                NS_WARNING("Unable to get address after name resolution "
-                           "succeeded.");
-                status = rv;
-            }
+            mDNSRecord->GetNextAddr(SocketPort(), &mNetAddr);
         }
         // status contains DNS lookup status
         if (NS_FAILED(status)) {
             // When using a HTTP proxy, NS_ERROR_UNKNOWN_HOST means the HTTP 
             // proxy host is not found, so we fixup the error code.
             // For SOCKS proxies (mProxyTransparent == true), the socket 
             // transport resolves the real host here, so there's no fixup 
             // (see bug 226943).
--- a/netwerk/build/nsNetCID.h
+++ b/netwerk/build/nsNetCID.h
@@ -452,26 +452,16 @@
 #define NS_NETWORKPREDICTOR_CID \
 { /* {969adfdf-7221-4419-aecf-05f8faf00c9b} */ \
     0x969adfdf, \
     0x7221, \
     0x4419, \
     { 0xae, 0xcf, 0x05, 0xf8, 0xfa, 0xf0, 0x0c, 0x9b } \
 }
 
-// service implementing nsINetworkZonePolicy
-#define NS_NETWORKZONEPOLICY_CONTRACTID "@mozilla.org/network/networkzonepolicy;1"
-#define NS_NETWORKZONEPOLICY_CID \
-{ /* {afcabf86-d401-41f0-a511-7a444ce31c71} */ \
-    0xafcabf86, \
-    0xd401, \
-    0x41f0, \
-    { 0xa5, 0x11, 0x7a, 0x44, 0x4c, 0xe3, 0x1c, 0x71 } \
-}
-
 /******************************************************************************
  * netwerk/cache/ classes
  */
 
 // service implementing nsICacheService.
 #define NS_CACHESERVICE_CONTRACTID \
     "@mozilla.org/network/cache-service;1"
 #define NS_CACHESERVICE_CID                          \
--- a/netwerk/build/nsNetModule.cpp
+++ b/netwerk/build/nsNetModule.cpp
@@ -33,17 +33,16 @@
 #include "nsMimeTypes.h"
 #include "nsNetStrings.h"
 #include "nsDNSPrefetch.h"
 #include "nsAboutProtocolHandler.h"
 #include "nsXULAppAPI.h"
 #include "nsCategoryCache.h"
 #include "nsIContentSniffer.h"
 #include "Predictor.h"
-#include "nsNetworkZonePolicy.h"
 #include "nsNetUtil.h"
 #include "nsIThreadPool.h"
 #include "mozilla/net/NeckoChild.h"
 
 #include "nsNetCID.h"
 
 #ifndef XP_MACOSX
 #define BUILD_BINHEX_DECODER 1
@@ -442,20 +441,16 @@ static const mozilla::Module::CategoryEn
     NS_BINARYDETECTOR_CATEGORYENTRY,
     { nullptr }
 };
 
 #ifdef BUILD_BINHEX_DECODER
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsBinHexDecoder)
 #endif
 
-typedef mozilla::net::nsNetworkZonePolicy nsNetworkZonePolicy;
-NS_GENERIC_FACTORY_SINGLETON_CONSTRUCTOR(nsNetworkZonePolicy,
-                                        nsNetworkZonePolicy::GetSingleton)
-
 static nsresult
 CreateNewStreamConvServiceFactory(nsISupports* aOuter, REFNSIID aIID, void **aResult) 
 {
     if (!aResult) {                                                  
         return NS_ERROR_INVALID_POINTER;                             
     }
     if (aOuter) {                                                    
         *aResult = nullptr;                                           
@@ -798,17 +793,16 @@ NS_DEFINE_NAMED_CID(NS_NETWORK_LINK_SERV
 NS_DEFINE_NAMED_CID(NS_NETWORK_LINK_SERVICE_CID);
 #elif defined(MOZ_WIDGET_ANDROID)
 NS_DEFINE_NAMED_CID(NS_NETWORK_LINK_SERVICE_CID);
 #endif
 NS_DEFINE_NAMED_CID(NS_SERIALIZATION_HELPER_CID);
 NS_DEFINE_NAMED_CID(NS_REDIRECTCHANNELREGISTRAR_CID);
 NS_DEFINE_NAMED_CID(NS_CACHE_STORAGE_SERVICE_CID);
 NS_DEFINE_NAMED_CID(NS_NETWORKPREDICTOR_CID);
-NS_DEFINE_NAMED_CID(NS_NETWORKZONEPOLICY_CID);
 
 static const mozilla::Module::CIDEntry kNeckoCIDs[] = {
     { &kNS_IOSERVICE_CID, false, nullptr, nsIOServiceConstructor },
     { &kNS_STREAMTRANSPORTSERVICE_CID, false, nullptr, nsStreamTransportServiceConstructor },
     { &kNS_SOCKETTRANSPORTSERVICE_CID, false, nullptr, nsSocketTransportServiceConstructor },
     { &kNS_SERVERSOCKET_CID, false, nullptr, nsServerSocketConstructor },
     { &kNS_UDPSOCKET_CID, false, nullptr, nsUDPSocketConstructor },
     { &kNS_SOCKETPROVIDERSERVICE_CID, false, nullptr, nsSocketProviderService::Create },
@@ -942,17 +936,16 @@ static const mozilla::Module::CIDEntry k
     { &kNS_NETWORK_LINK_SERVICE_CID, false, nullptr, nsQtNetworkLinkServiceConstructor },
 #elif defined(MOZ_WIDGET_ANDROID)
     { &kNS_NETWORK_LINK_SERVICE_CID, false, nullptr, nsAndroidNetworkLinkServiceConstructor },
 #endif
     { &kNS_SERIALIZATION_HELPER_CID, false, nullptr, nsSerializationHelperConstructor },
     { &kNS_REDIRECTCHANNELREGISTRAR_CID, false, nullptr, RedirectChannelRegistrarConstructor },
     { &kNS_CACHE_STORAGE_SERVICE_CID, false, nullptr, CacheStorageServiceConstructor },
     { &kNS_NETWORKPREDICTOR_CID, false, nullptr, mozilla::net::Predictor::Create },
-    { &kNS_NETWORKZONEPOLICY_CID, false, nullptr, nsNetworkZonePolicyConstructor },
     { nullptr }
 };
 
 static const mozilla::Module::ContractIDEntry kNeckoContracts[] = {
     { NS_IOSERVICE_CONTRACTID, &kNS_IOSERVICE_CID },
     { NS_NETUTIL_CONTRACTID, &kNS_IOSERVICE_CID },
     { NS_STREAMTRANSPORTSERVICE_CONTRACTID, &kNS_STREAMTRANSPORTSERVICE_CID },
     { NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &kNS_SOCKETTRANSPORTSERVICE_CID },
@@ -1090,17 +1083,16 @@ static const mozilla::Module::ContractID
 #elif defined(MOZ_WIDGET_ANDROID)
     { NS_NETWORK_LINK_SERVICE_CONTRACTID, &kNS_NETWORK_LINK_SERVICE_CID },
 #endif
     { NS_SERIALIZATION_HELPER_CONTRACTID, &kNS_SERIALIZATION_HELPER_CID },
     { NS_REDIRECTCHANNELREGISTRAR_CONTRACTID, &kNS_REDIRECTCHANNELREGISTRAR_CID },
     { NS_CACHE_STORAGE_SERVICE_CONTRACTID, &kNS_CACHE_STORAGE_SERVICE_CID },
     { NS_CACHE_STORAGE_SERVICE_CONTRACTID2, &kNS_CACHE_STORAGE_SERVICE_CID },
     { NS_NETWORKPREDICTOR_CONTRACTID, &kNS_NETWORKPREDICTOR_CID },
-    { NS_NETWORKZONEPOLICY_CONTRACTID, &kNS_NETWORKZONEPOLICY_CID },
     { nullptr }
 };
 
 static const mozilla::Module kNeckoModule = {
     mozilla::Module::kVersion,
     kNeckoCIDs,
     kNeckoContracts,
     kNeckoCategories,
--- a/netwerk/cache/nsDiskCache.h
+++ b/netwerk/cache/nsDiskCache.h
@@ -6,17 +6,17 @@
 
 
 #ifndef _nsDiskCache_h_
 #define _nsDiskCache_h_
 
 #include "nsCacheEntry.h"
 
 #ifdef XP_WIN
-#include <winsock2.h>  // for htonl/ntohl
+#include <winsock.h>  // for htonl/ntohl
 #endif
 
 
 class nsDiskCache {
 public:
     enum {
             kCurrentVersion = 0x00010013      // format = 16 bits major version/16 bits minor version
     };
--- a/netwerk/dns/DNS.cpp
+++ b/netwerk/dns/DNS.cpp
@@ -199,21 +199,16 @@ bool IsIPAddrLocal(const NetAddr *addr)
         addr16 >> 6 == 0xfe80 >> 6) { // fe80::/10 Link Local Address.
       return true;
     }
   }
   // Not an IPv4/6 local address.
   return false;
 }
 
-bool IsIPAddrPrivate(const NetAddr *addr)
-{
-  return IsIPAddrLocal(addr) || IsLoopBackAddress(addr);
-}
-
 bool
 NetAddr::operator == (const NetAddr& other) const
 {
   if (this->raw.family != other.raw.family) {
     return false;
   } else if (this->raw.family == AF_INET) {
     return (this->inet.port == other.inet.port) &&
            (this->inet.ip == other.inet.ip);
@@ -227,29 +222,17 @@ NetAddr::operator == (const NetAddr& oth
   } else if (this->raw.family == AF_LOCAL) {
     return PL_strncmp(this->local.path, other.local.path,
                       ArrayLength(this->local.path));
 #endif
   }
   return false;
 }
 
-bool
-NetAddr::EqualsIP(const NetAddr& other) const
-{
-  if (this->raw.family != other.raw.family) {
-    return false;
-  } else if (this->raw.family == AF_INET) {
-    return (this->inet.ip == other.inet.ip);
-  } else if (this->raw.family == AF_INET6) {
-    return (memcmp(&this->inet6.ip, &other.inet6.ip,
-                   sizeof(this->inet6.ip)) == 0);
-  }
-  return false;
-}
+
 
 NetAddrElement::NetAddrElement(const PRNetAddr *prNetAddr)
 {
   PRNetAddrToNetAddr(prNetAddr, &mAddress);
 }
 
 NetAddrElement::NetAddrElement(const NetAddrElement& netAddr)
 {
--- a/netwerk/dns/DNS.h
+++ b/netwerk/dns/DNS.h
@@ -106,18 +106,16 @@ union NetAddr {
 #if defined(XP_UNIX)
   struct {                          /* Unix domain socket address */
     uint16_t family;                /* address family (AF_UNIX) */
     char path[104];                 /* null-terminated pathname */
   } local;
 #endif
   // introduced to support nsTArray<NetAddr> (for DNSRequestParent.cpp)
   bool operator == (const NetAddr& other) const;
-  // Compares ip fields only; excludes port and other data; IPv4 and v6 only.
-  bool EqualsIP(const NetAddr& other) const;
 };
 
 // This class wraps a NetAddr union to provide C++ linked list
 // capabilities and other methods. It is created from a PRNetAddr,
 // which is converted to a mozilla::dns::NetAddr.
 class NetAddrElement : public LinkedListElement<NetAddrElement> {
 public:
   NetAddrElement(const PRNetAddr *prNetAddr);
@@ -161,16 +159,14 @@ void NetAddrToPRNetAddr(const NetAddr *a
 bool NetAddrToString(const NetAddr *addr, char *buf, uint32_t bufSize);
 
 bool IsLoopBackAddress(const NetAddr *addr);
 
 bool IsIPAddrAny(const NetAddr *addr);
 
 bool IsIPAddrV4Mapped(const NetAddr *addr);
 
-bool IsIPAddrPrivate(const NetAddr *addr);
-
 bool IsIPAddrLocal(const NetAddr *addr);
 
 } // namespace net
 } // namespace mozilla
 
 #endif // DNS_h_
--- a/netwerk/dns/nsDNSService2.cpp
+++ b/netwerk/dns/nsDNSService2.cpp
@@ -56,58 +56,31 @@ class nsDNSRecord : public nsIDNSRecord
 public:
     NS_DECL_THREADSAFE_ISUPPORTS
     NS_DECL_NSIDNSRECORD
 
     nsDNSRecord(nsHostRecord *hostRecord)
         : mHostRecord(hostRecord)
         , mIter(nullptr)
         , mIterGenCnt(-1)
-        , mHideLocalIPAddresses(false)
-        , mHideLoopbackIPAddresses(false)
         , mDone(false) {}
 
-    // Do not return private, RFC1918-like IP addresses.
-    void HideLocalIPAddresses();
-
-    // Do not return loopback addresses.
-    void HideLoopbackIPAddresses();
-
-    // Convenience function for nsIDNSRecord.hasMore().
-    bool HasMore();
-
 private:
     virtual ~nsDNSRecord() {}
 
     nsRefPtr<nsHostRecord>  mHostRecord;
     NetAddrElement         *mIter;
     int                     mIterGenCnt; // the generation count of
                                          // mHostRecord->addr_info when we
                                          // start iterating
-    // True if private, RFC1918-like IP addresses should be hidden.
-    bool                    mHideLocalIPAddresses;
-    // True if loopback addresses should be hidden.
-    bool                    mHideLoopbackIPAddresses;
     bool                    mDone;
 };
 
 NS_IMPL_ISUPPORTS(nsDNSRecord, nsIDNSRecord)
 
-void
-nsDNSRecord::HideLocalIPAddresses()
-{
-    mHideLocalIPAddresses = true;
-}
-
-void
-nsDNSRecord::HideLoopbackIPAddresses()
-{
-    mHideLoopbackIPAddresses = true;
-}
-
 NS_IMETHODIMP
 nsDNSRecord::GetCanonicalName(nsACString &result)
 {
     // this method should only be called if we have a CNAME
     NS_ENSURE_TRUE(mHostRecord->flags & nsHostResolver::RES_CANON_NAME,
                    NS_ERROR_NOT_AVAILABLE);
 
     // if the record is for an IP address literal, then the canonical
@@ -144,55 +117,42 @@ nsDNSRecord::GetNextAddr(uint16_t port, 
         bool startedFresh = !mIter;
 
         do {
             if (!mIter) {
                 mIter = mHostRecord->addr_info->mAddresses.getFirst();
             } else {
                 mIter = mIter->getNext();
             }
-        } while (mIter && (mHostRecord->Blacklisted(&mIter->mAddress) ||
-                           (mHideLocalIPAddresses &&
-                            IsIPAddrLocal(&mIter->mAddress)) ||
-                           (mHideLoopbackIPAddresses &&
-                            IsLoopBackAddress(&mIter->mAddress))));
+        }
+        while (mIter && mHostRecord->Blacklisted(&mIter->mAddress));
 
         if (!mIter && startedFresh) {
             // If everything was blacklisted we want to reset the blacklist (and
             // likely relearn it) and return the first address. That is better
             // than nothing.
             mHostRecord->ResetBlacklist();
             mIter = mHostRecord->addr_info->mAddresses.getFirst();
-
-            // If Private IPs are hidden, return the first public address.
-            while (mIter && ((mHideLocalIPAddresses &&
-                             IsIPAddrLocal(&mIter->mAddress)) ||
-                            (mHideLoopbackIPAddresses &&
-                             IsLoopBackAddress(&mIter->mAddress)))) {
-                mIter = mIter->getNext();
-            }
         }
 
         if (mIter) {
             memcpy(addr, &mIter->mAddress, sizeof(NetAddr));
         }
 
         mHostRecord->addr_info_lock.Unlock();
 
         if (!mIter) {
             mDone = true;
             return NS_ERROR_NOT_AVAILABLE;
         }
     }
     else {
         mHostRecord->addr_info_lock.Unlock();
 
-        if (!mHostRecord->addr ||
-            (mHideLocalIPAddresses && IsIPAddrLocal(mHostRecord->addr)) ||
-            (mHideLoopbackIPAddresses && IsLoopBackAddress(mHostRecord->addr))) {
+        if (!mHostRecord->addr) {
             // Both mHostRecord->addr_info and mHostRecord->addr are null.
             // This can happen if mHostRecord->addr_info expired and the
             // attempt to reresolve it failed.
             return NS_ERROR_NOT_AVAILABLE;
         }
         memcpy(addr, mHostRecord->addr, sizeof(NetAddr));
         mDone = true;
     }
@@ -251,25 +211,16 @@ nsDNSRecord::HasMore(bool *result)
     *result = NS_SUCCEEDED(GetNextAddr(0, &addr));
 
     mIter = iterCopy;
     mDone = false;
 
     return NS_OK;
 }
 
-bool
-nsDNSRecord::HasMore()
-{
-    bool more;
-    DebugOnly<nsresult> rv = HasMore(&more);
-    MOZ_ASSERT(NS_SUCCEEDED(rv));
-    return more;
-}
-
 NS_IMETHODIMP
 nsDNSRecord::Rewind()
 {
     mIter = nullptr;
     mIterGenCnt = -1;
     mDone = false;
     return NS_OK;
 }
@@ -337,28 +288,19 @@ nsDNSAsyncRequest::OnLookupComplete(nsHo
                                     nsresult        status)
 {
     // need to have an owning ref when we issue the callback to enable
     // the caller to be able to addref/release multiple times without
     // destroying the record prematurely.
     nsCOMPtr<nsIDNSRecord> rec;
     if (NS_SUCCEEDED(status)) {
         NS_ASSERTION(hostRecord, "no host record");
-        nsRefPtr<nsDNSRecord> recImpl = new nsDNSRecord(hostRecord);
-        if (mFlags & nsIDNSService::RESOLVE_DISABLE_RFC1918) {
-            recImpl->HideLocalIPAddresses();
-        }
-        if (mFlags & nsIDNSService::RESOLVE_DISABLE_LOOPBACK) {
-            recImpl->HideLoopbackIPAddresses();
-        }
-        if (!recImpl->HasMore()) {
-            status = NS_ERROR_UNKNOWN_HOST;
-            recImpl = nullptr;
-        }
-        rec = recImpl.forget();
+        rec = new nsDNSRecord(hostRecord);
+        if (!rec)
+            status = NS_ERROR_OUT_OF_MEMORY;
     }
 
     MOZ_EVENT_TRACER_DONE(this, "net::dns::lookup");
 
     mListener->OnLookupComplete(this, rec, status);
     mListener = nullptr;
 
     // release the reference to ourselves that was added before we were
@@ -890,28 +832,21 @@ nsDNSService::Resolve(const nsACString &
         // wait for result
         while (!syncReq.mDone)
             PR_Wait(mon, PR_INTERVAL_NO_TIMEOUT);
 
         if (NS_FAILED(syncReq.mStatus))
             rv = syncReq.mStatus;
         else {
             NS_ASSERTION(syncReq.mHostRecord, "no host record");
-            nsRefPtr<nsDNSRecord> rec = new nsDNSRecord(syncReq.mHostRecord);
-            if (flags & nsIDNSService::RESOLVE_DISABLE_RFC1918) {
-              rec->HideLocalIPAddresses();
-            }
-            if (flags & nsIDNSService::RESOLVE_DISABLE_LOOPBACK) {
-              rec->HideLoopbackIPAddresses();
-            }
-            if (!rec->HasMore()) {
-                rv = NS_ERROR_UNKNOWN_HOST;
-                rec = nullptr;
-            }
-            rec.forget(result);
+            nsDNSRecord *rec = new nsDNSRecord(syncReq.mHostRecord);
+            if (!rec)
+                rv = NS_ERROR_OUT_OF_MEMORY;
+            else
+                NS_ADDREF(*result = rec);
         }
     }
 
     PR_ExitMonitor(mon);
     PR_DestroyMonitor(mon);
     return rv;
 }
 
--- a/netwerk/dns/nsIDNSService.idl
+++ b/netwerk/dns/nsIDNSService.idl
@@ -133,21 +133,9 @@ interface nsIDNSService : nsISupports
      * asyncResolve.
      */
     const unsigned long RESOLVE_OFFLINE = (1 << 6);
 
     /**
      * If set, only IPv6 addresses will be returned from resolve/asyncResolve.
      */
     const unsigned long RESOLVE_DISABLE_IPV4 = (1 << 7);
-
-    /**
-     * If set, local (RFC1918) addresses will NOT be returned from
-     * resolve/asyncResolve.
-     */
-    const unsigned long RESOLVE_DISABLE_RFC1918 = (1 << 8);
-
-    /**
-     * If set, loopback addresses will NOT be returned from
-     * resolve/asyncResolve.
-     */
-    const unsigned long RESOLVE_DISABLE_LOOPBACK = (1 << 9);
 };
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -71,19 +71,17 @@ HttpBaseChannel::HttpBaseChannel()
   , mHttpHandler(gHttpHandler)
   , mRedirectCount(0)
   , mForcePending(false)
 {
   LOG(("Creating HttpBaseChannel @%x\n", this));
 
   // Subfields of unions cannot be targeted in an initializer list
   mSelfAddr.raw.family = PR_AF_UNSPEC;
-  memset(&mSelfAddr, 0, sizeof(mSelfAddr.raw.data));
   mPeerAddr.raw.family = PR_AF_UNSPEC;
-  memset(&mPeerAddr, 0, sizeof(mPeerAddr.raw.data));
 }
 
 HttpBaseChannel::~HttpBaseChannel()
 {
   LOG(("Destroying HttpBaseChannel @%x\n", this));
 
   // Make sure we don't leak
   CleanRedirectCacheChainIfNecessary();
--- a/netwerk/protocol/http/nsAHttpConnection.h
+++ b/netwerk/protocol/http/nsAHttpConnection.h
@@ -135,19 +135,16 @@ public:
 
     // The number of transaction bytes written out on this HTTP Connection, does
     // not count CONNECT tunnel setup
     virtual int64_t BytesWritten() = 0;
 
     // Update the callbacks used to provide security info. May be called on
     // any thread.
     virtual void SetSecurityCallbacks(nsIInterfaceRequestor* aCallbacks) = 0;
-
-    // Returns true if the socket peer has a private (RFC1918-like) address.
-    virtual bool PeerHasPrivateIP() = 0;
 };
 
 NS_DEFINE_STATIC_IID_ACCESSOR(nsAHttpConnection, NS_AHTTPCONNECTION_IID)
 
 #define NS_DECL_NSAHTTPCONNECTION(fwdObject)                    \
     nsresult OnHeadersAvailable(nsAHttpTransaction *, nsHttpRequestHead *, nsHttpResponseHead *, bool *reset); \
     void CloseTransaction(nsAHttpTransaction *, nsresult); \
     nsresult TakeTransport(nsISocketTransport **,    \
@@ -228,17 +225,13 @@ NS_DEFINE_STATIC_IID_ACCESSOR(nsAHttpCon
         return (fwdObject)->Classify(newclass);             \
     }                                                       \
     int64_t BytesWritten()                                  \
     {     return fwdObject ? (fwdObject)->BytesWritten() : 0; } \
     void SetSecurityCallbacks(nsIInterfaceRequestor* aCallbacks) \
     {                                                       \
         if (fwdObject)                                      \
             (fwdObject)->SetSecurityCallbacks(aCallbacks);  \
-    }                                                       \
-    bool PeerHasPrivateIP()                                 \
-    { \
-        return fwdObject ? (fwdObject)->PeerHasPrivateIP() : false; \
     }
 
 }} // namespace mozilla::net
 
 #endif // nsAHttpConnection_h__
--- a/netwerk/protocol/http/nsHttp.h
+++ b/netwerk/protocol/http/nsHttp.h
@@ -78,19 +78,16 @@ typedef uint8_t nsHttpVersion;
 // a transaction with this flag loads without respect to whether the load
 // group is currently blocking on some resources
 #define NS_HTTP_LOAD_UNBLOCKED       (1<<8)
 
 // These flags allow a transaction to use TLS false start with
 // weaker security profiles based on past history
 #define NS_HTTP_ALLOW_RSA_FALSESTART (1<<9)
 
-// Allows a transaction to use a connection to a private, RFC1918-like address.
-#define NS_HTTP_ALLOW_PRIVATE_IP_ADDRESSES (1<<10)
-
 //-----------------------------------------------------------------------------
 // some default values
 //-----------------------------------------------------------------------------
 
 #define NS_HTTP_DEFAULT_PORT  80
 #define NS_HTTPS_DEFAULT_PORT 443
 
 #define NS_HTTP_HEADER_SEPS ", \t"
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -15,17 +15,16 @@
 #include "nsICacheStorageService.h"
 #include "nsICacheStorage.h"
 #include "nsICacheEntry.h"
 #include "nsICryptoHash.h"
 #include "nsIStringBundle.h"
 #include "nsIStreamListenerTee.h"
 #include "nsISeekableStream.h"
 #include "nsILoadGroupChild.h"
-#include "nsINetworkZonePolicy.h"
 #include "nsIProtocolProxyService2.h"
 #include "nsMimeTypes.h"
 #include "nsNetUtil.h"
 #include "prprf.h"
 #include "prnetdb.h"
 #include "nsEscape.h"
 #include "nsStreamUtils.h"
 #include "nsIOService.h"
@@ -2703,44 +2702,16 @@ nsHttpChannel::OnCacheEntryCheck(nsICach
         // The cached response does not contain an entity.  We can only reuse
         // the response if the current request is also HEAD.
         if (!mRequestHead.IsHead()) {
             return NS_OK;
         }
     }
     buf.Adopt(0);
 
-    // If the entry was loaded from a private/RFC1918 network, verify that
-    // private loads are allowed for this loadgroup and that the network
-    // link ID matches.
-    rv = entry->GetMetaDataElement("loaded-from-private-network",
-                                   getter_Copies(buf));
-    if (NS_SUCCEEDED(rv) && !buf.IsEmpty()) {
-        bool privateIPAddrOK = true;
-        nsCString currentNetworkIDString;
-        rv = gIOService->GetNetworkLinkID(currentNetworkIDString);
-        if (NS_WARN_IF(NS_FAILED(rv))) {
-            return rv;
-        }
-        if (!buf.Equals(currentNetworkIDString)) {
-            LOG(("nsHttpChannel::OnCacheEntryCheck %p private entry "
-                 "does not match network link ID - not wanted.", this));
-            privateIPAddrOK = false;
-        } else {
-            privateIPAddrOK = mCaps & NS_HTTP_ALLOW_PRIVATE_IP_ADDRESSES;
-            LOG(("nsHttpChannel::OnCacheEntryCheck %p private entry %s.",
-                 this, privateIPAddrOK ? "allowed" : "forbidden"));
-        }
-        if (!privateIPAddrOK) {
-            *aResult = ENTRY_NOT_WANTED;
-            return NS_OK;
-        }
-    }
-    buf.Adopt(0);
-
     // We'll need this value in later computations...
     uint32_t lastModifiedTime;
     rv = entry->GetLastModified(&lastModifiedTime);
     NS_ENSURE_SUCCESS(rv, rv);
 
     // Determine if this is the first time that this cache entry
     // has been accessed during this session.
     bool fromPreviousSession =
@@ -3147,40 +3118,16 @@ nsHttpChannel::OnNormalCacheEntryAvailab
     if (NS_SUCCEEDED(aEntryStatus)) {
         mCacheEntry = aEntry;
         mCacheEntryIsWriteOnly = aNew;
 
         if (mLoadFlags & LOAD_INITIAL_DOCUMENT_URI) {
             Telemetry::Accumulate(Telemetry::HTTP_OFFLINE_CACHE_DOCUMENT_LOAD,
                                   false);
         }
-
-        // For cached doument loads, we must set Private/Public Network load
-        // permissions for the document's sub-resources.
-        // -- Forbid private loads if the doc was loaded on a public network.
-        // -- Allow private loads if the doc was loaded from a private IP.
-        // Note: Private docs should only be loaded from the same network.
-        //       This check should already have been done in OnCacheEntryCheck.
-        if (mNZP && !aNew && mLoadFlags & nsIChannel::LOAD_DOCUMENT_URI) {
-            nsXPIDLCString buf;
-            nsresult rv =
-                mCacheEntry->GetMetaDataElement("loaded-from-private-network",
-                                                getter_Copies(buf));
-            bool privateIPAddrOK = NS_SUCCEEDED(rv) && !buf.IsEmpty();
-
-            LOG(("nsHttpChannel::OnNormalCacheEntryAvailable %p document "
-                 "load: %s sub-resource loads from private networks.",
-                 this, privateIPAddrOK ? "allows" : "forbids"));
-
-            rv = mNZP->SetPrivateNetworkPermission(this, privateIPAddrOK);
-            if (NS_FAILED(rv)) {
-                LOG(("nsHttpChannel::OnNormalCacheEntryAvailable %p failed "
-                     "SetPrivateNetworkPermission rv=0x%x", this, rv));
-            }
-        }
     }
 
     return NS_OK;
 }
 
 nsresult
 nsHttpChannel::OnOfflineCacheEntryAvailable(nsICacheEntry *aEntry,
                                             bool aNew,
@@ -3915,33 +3862,16 @@ nsHttpChannel::AddCacheEntryHeaders(nsIC
 
     // Store the received HTTP head with the cache entry as an element of
     // the meta data.
     nsAutoCString head;
     mResponseHead->Flatten(head, true);
     rv = entry->SetMetaDataElement("response-head", head.get());
     if (NS_FAILED(rv)) return rv;
 
-    // If the response was loaded from a private/RFC1918 network, store
-    // the networkLinkID in a metadata header.
-    if (IsIPAddrPrivate(&mPeerAddr)) {
-        char privateNetworkIDString[21];
-        PR_snprintf(privateNetworkIDString, sizeof(privateNetworkIDString),
-                    "%llu", mPrivateNetworkID);
-        MOZ_ASSERT(strlen(privateNetworkIDString) > 0);
-
-        LOG(("nsHttpChannel::AddCacheEntryHeaders %p setting loaded-from-"
-             "private-network=%s", this, privateNetworkIDString));
-        rv = entry->SetMetaDataElement("loaded-from-private-network",
-                                       privateNetworkIDString);
-        if (NS_FAILED(rv)) {
-            return rv;
-        }
-    }
-
     // Indicate we have successfully finished setting metadata on the cache entry.
     rv = entry->MetaDataReady();
 
     return rv;
 }
 
 inline void
 GetAuthType(const char *challenge, nsCString &authType)
@@ -4538,42 +4468,18 @@ nsHttpChannel::AsyncOpen(nsIStreamListen
     mIsPending = true;
     mWasOpened = true;
 
     mListener = listener;
     mListenerContext = context;
 
     // add ourselves to the load group.  from this point forward, we'll report
     // all failures asynchronously.
-    if (mLoadGroup) {
+    if (mLoadGroup)
         mLoadGroup->AddRequest(this, nullptr);
-    }
-
-    // Check if the channel is allowed to load from private addresses.
-    mNZP = do_GetService(NS_NETWORKZONEPOLICY_CONTRACTID, &rv);
-    if (NS_SUCCEEDED(rv) && mNZP) {
-        bool privateIPAddrOK = false;
-        rv = mNZP->CheckPrivateNetworkPermission(this, &privateIPAddrOK);
-        if (NS_SUCCEEDED(rv) && privateIPAddrOK) {
-            mCaps |= NS_HTTP_ALLOW_PRIVATE_IP_ADDRESSES;
-        } else if (NS_FAILED(rv)) {
-            LOG(("nsHttpChannel::AsyncOpen %p CheckPrivateNetworkPermission "
-                 "failed with rv=0x%x", this, rv));
-        }
-#ifdef PR_LOGGING
-        nsAutoCString host;
-        rv = mURI->GetAsciiHost(host);
-        LOG(("nsHttpChannel::AsyncOpen %p private addresses %s for "
-             "%s", this, privateIPAddrOK ? "allowed" : "forbidden",
-             host.get()));
-#endif
-    } else {
-        LOG(("nsHttpChannel::AsyncOpen %p No NetworkZonePolicy object rv=0x%x",
-             this, rv));
-    }
 
     // record asyncopen time unconditionally and clear it if we
     // don't want it after OnModifyRequest() weighs in. But waiting for
     // that to complete would mean we don't include proxy resolution in the
     // timing.
     mAsyncOpenTime = TimeStamp::Now();
 
     // the only time we would already know the proxy information at this
@@ -5510,55 +5416,18 @@ nsHttpChannel::OnTransportStatus(nsITran
     if (!mProgressSink)
         GetCallback(mProgressSink);
 
     if (status == NS_NET_STATUS_CONNECTED_TO ||
         status == NS_NET_STATUS_WAITING_FOR) {
         nsCOMPtr<nsISocketTransport> socketTransport =
             do_QueryInterface(trans);
         if (socketTransport) {
-            nsresult selfRv = socketTransport->GetSelfAddr(&mSelfAddr);
-            nsresult peerRv = socketTransport->GetPeerAddr(&mPeerAddr);
-
-            // XXX Remove this call to UpdateNetworkLinkID once Bug 939319 and
-            // associated bugs for NS_NETWORK_LINK_DATA_CHANGED are complete on
-            // all supported platforms. For now, update the network link ID with
-            // mSelfAddr, assuming we were able to get it successfully.
-            if (NS_SUCCEEDED(selfRv)) {
-                gIOService->UpdateNetworkLinkID(mSelfAddr);
-            }
-
-            // If the peer is private, store the network link ID now to be
-            // saved in the cache headers later. Also check permissions.
-            bool peerHasPrivateAddr = NS_SUCCEEDED(peerRv) &&
-                                      IsIPAddrPrivate(&mPeerAddr);
-            if (peerHasPrivateAddr) {
-                mPrivateNetworkID = gIOService->GetNetworkLinkID();
-
-                if (!(mCaps & NS_HTTP_ALLOW_PRIVATE_IP_ADDRESSES)) {
-                    LOG(("nsHttpChannel::OnTransportStatus %p not permitted "
-                         "to load from private IP address! Canceling.", this));
-                    return Cancel(NS_ERROR_CONNECTION_REFUSED);
-                }
-            }
-
-            // If this is a document load, set permissions for the rest of the
-            // loadgroup's requests.
-            if (mNZP && NS_SUCCEEDED(peerRv) &&
-                mLoadFlags & nsIChannel::LOAD_DOCUMENT_URI) {
-                LOG(("nsHttpChannel::OnTransportStatus %p document load: "
-                     "%s sub-resource loads from private networks.",
-                     this, peerHasPrivateAddr ? "allows" : "forbids"));
-                nsresult rv =
-                    mNZP->SetPrivateNetworkPermission(this, peerHasPrivateAddr);
-                if (NS_FAILED(rv)) {
-                    LOG(("nsHttpChannel::OnTransportStatus %p failed "
-                         "SetPrivateNetworkPermission rv=0x%x", this, rv));
-                }
-            }
+            socketTransport->GetSelfAddr(&mSelfAddr);
+            socketTransport->GetPeerAddr(&mPeerAddr);
         }
     }
 
     // block socket status event after Cancel or OnStopRequest has been called.
     if (mProgressSink && NS_SUCCEEDED(mStatus) && mIsPending && !(mLoadFlags & LOAD_BACKGROUND)) {
         LOG(("sending status notification [this=%p status=%x progress=%llu/%llu]\n",
             this, status, progress, progressMax));
 
--- a/netwerk/protocol/http/nsHttpChannel.h
+++ b/netwerk/protocol/http/nsHttpChannel.h
@@ -14,17 +14,16 @@
 #include "nsICacheEntryOpenCallback.h"
 #include "nsIDNSListener.h"
 #include "nsIApplicationCacheChannel.h"
 #include "nsIProtocolProxyCallback.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIAsyncVerifyRedirectCallback.h"
 #include "nsIThreadRetargetableRequest.h"
 #include "nsIThreadRetargetableStreamListener.h"
-#include "nsINetworkZonePolicy.h"
 #include "nsWeakReference.h"
 #include "TimingStruct.h"
 #include "AutoClose.h"
 
 class nsIPrincipal;
 class nsDNSPrefetch;
 class nsICacheEntryDescriptor;
 class nsICancelable;
@@ -418,19 +417,13 @@ private:
     void PopRedirectAsyncFunc(nsContinueRedirectionFunc func);
 
 protected:
     virtual void DoNotifyListenerCleanup();
     nsPerformance* GetPerformance();
 
 private: // cache telemetry
     bool mDidReval;
-
-    // The network link ID generated by nsIOService at the time of connection.
-    uint64_t mPrivateNetworkID;
-
-    // Set during AsyncOpen
-    nsCOMPtr<nsINetworkZonePolicy> mNZP;
 };
 
 } } // namespace mozilla::net
 
 #endif // nsHttpChannel_h__
--- a/netwerk/protocol/http/nsHttpConnection.cpp
+++ b/netwerk/protocol/http/nsHttpConnection.cpp
@@ -1707,33 +1707,16 @@ nsHttpConnection::OnSocketReadable()
             }
         }
         // read more from the socket until error...
     } while (again);
 
     return rv;
 }
 
-bool
-nsHttpConnection::PeerHasPrivateIP()
-{
-    MOZ_ASSERT(PR_GetCurrentThread() == gSocketThread);
-    if (!mSocketTransport) {
-        return false;
-    }
-
-    NetAddr peerAddr;
-    nsresult rv = mSocketTransport->GetPeerAddr(&peerAddr);
-    if (NS_FAILED(rv)) {
-        return false;
-    }
-
-    return IsIPAddrPrivate(&peerAddr);
-}
-
 void
 nsHttpConnection::SetupSecondaryTLS()
 {
     MOZ_ASSERT(PR_GetCurrentThread() == gSocketThread);
     MOZ_ASSERT(!mTLSFilter);
     LOG(("nsHttpConnection %p SetupSecondaryTLS %s %d\n",
          this, mConnInfo->Host(), mConnInfo->Port()));
     mTLSFilter = new TLSFilterTransaction(mTransaction,
--- a/netwerk/protocol/http/nsHttpConnection.h
+++ b/netwerk/protocol/http/nsHttpConnection.h
@@ -195,19 +195,16 @@ public:
     bool    IsExperienced() { return mExperienced; }
 
     static nsresult MakeConnectString(nsAHttpTransaction *trans,
                                       nsHttpRequestHead *request,
                                       nsACString &result);
     void    SetupSecondaryTLS();
     void    SetInSpdyTunnel(bool arg);
 
-    // Returns true if the socket peer has a private (RFC1918-like) address.
-    bool    PeerHasPrivateIP();
-
 private:
     // Value (set in mTCPKeepaliveConfig) indicates which set of prefs to use.
     enum TCPKeepaliveConfig {
       kTCPKeepaliveDisabled = 0,
       kTCPKeepaliveShortLivedConfig,
       kTCPKeepaliveLongLivedConfig
     };
 
--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp
+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
@@ -2933,30 +2933,20 @@ nsHalfOpenSocket::SetupStreams(nsISocket
     if (mEnt->mPreferIPv6) {
         tmpFlags |= nsISocketTransport::DISABLE_IPV4;
     }
     else if (mEnt->mPreferIPv4 ||
              (isBackup && gHttpHandler->FastFallbackToIPv4())) {
         tmpFlags |= nsISocketTransport::DISABLE_IPV6;
     }
 
-    // Allow speculative connections for loopback so we can run tests.
-    if (IsSpeculative() && gHttpHandler->AllowSpeculativeConnectOnLoopback()) {
+    if (IsSpeculative()) {
         tmpFlags |= nsISocketTransport::DISABLE_RFC1918;
-        LOG(("nsHalfOpenSocket::SetupStreams %p Disable private IPs for "
-             "speculative connections", this));
-    } else if (IsSpeculative() ||
-               !(mCaps & NS_HTTP_ALLOW_PRIVATE_IP_ADDRESSES)) {
-        tmpFlags |= nsISocketTransport::DISABLE_LOOPBACK |
-                    nsISocketTransport::DISABLE_RFC1918;
-        LOG(("nsHalfOpenSocket::SetupStreams %p Disable loopback and private "
-             "IPs", this));
     }
 
-
     socketTransport->SetConnectionFlags(tmpFlags);
 
     socketTransport->SetQoSBits(gHttpHandler->GetQoSBits());
 
     rv = socketTransport->SetEventSink(this, nullptr);
     NS_ENSURE_SUCCESS(rv, rv);
 
     rv = socketTransport->SetSecurityCallbacks(this);
--- a/netwerk/protocol/http/nsHttpHandler.cpp
+++ b/netwerk/protocol/http/nsHttpHandler.cpp
@@ -191,17 +191,16 @@ nsHttpHandler::nsHttpHandler()
     , mSpdySendingChunkSize(ASpdySession::kSendingChunkSize)
     , mSpdySendBufferSize(ASpdySession::kTCPSendBufferSize)
     , mSpdyPushAllowance(32768)
     , mSpdyPingThreshold(PR_SecondsToInterval(58))
     , mSpdyPingTimeout(PR_SecondsToInterval(8))
     , mConnectTimeout(90000)
     , mBypassCacheLockThreshold(250.0)
     , mParallelSpeculativeConnectLimit(6)
-    , mAllowSpeculativeConnectOnLoopback(false)
     , mRequestTokenBucketEnabled(true)
     , mRequestTokenBucketMinParallelism(6)
     , mRequestTokenBucketHz(100)
     , mRequestTokenBucketBurst(32)
     , mTCPKeepaliveShortLivedEnabled(false)
     , mTCPKeepaliveShortLivedTimeS(60)
     , mTCPKeepaliveShortLivedIdleTimeS(10)
     , mTCPKeepaliveLongLivedEnabled(false)
@@ -516,16 +515,38 @@ nsHttpHandler::GetCookieService()
 
 nsresult
 nsHttpHandler::GetIOService(nsIIOService** result)
 {
     NS_ADDREF(*result = mIOService);
     return NS_OK;
 }
 
+uint32_t
+nsHttpHandler::Get32BitsOfPseudoRandom()
+{
+    // only confirm rand seeding on socket thread
+    MOZ_ASSERT(PR_GetCurrentThread() == gSocketThread);
+
+    // rand() provides different amounts of PRNG on different platforms.
+    // 15 or 31 bits are common amounts.
+
+    PR_STATIC_ASSERT(RAND_MAX >= 0xfff);
+
+#if RAND_MAX < 0xffffU
+    return ((uint16_t) rand() << 20) |
+            (((uint16_t) rand() & 0xfff) << 8) |
+            ((uint16_t) rand() & 0xff);
+#elif RAND_MAX < 0xffffffffU
+    return ((uint16_t) rand() << 16) | ((uint16_t) rand() & 0xffff);
+#else
+    return (uint32_t) rand();
+#endif
+}
+
 void
 nsHttpHandler::NotifyObservers(nsIHttpChannel *chan, const char *event)
 {
     LOG(("nsHttpHandler::NotifyObservers [chan=%x event=\"%s\"]\n", chan, event));
     if (mObserverService)
         mObserverService->NotifyObservers(chan, event, nullptr);
 }
 
@@ -1230,23 +1251,16 @@ nsHttpHandler::PrefsChanged(nsIPrefBranc
     // The maximum number of current global half open sockets allowable
     // for starting a new speculative connection.
     if (PREF_CHANGED(HTTP_PREF("speculative-parallel-limit"))) {
         rv = prefs->GetIntPref(HTTP_PREF("speculative-parallel-limit"), &val);
         if (NS_SUCCEEDED(rv))
             mParallelSpeculativeConnectLimit = (uint32_t) clamped(val, 0, 1024);
     }
 
-    if (PREF_CHANGED(HTTP_PREF("speculative.allowLoopback"))) {
-        rv = prefs->GetBoolPref(HTTP_PREF("speculative.allowLoopback"), &cVar);
-        if (NS_SUCCEEDED(rv)) {
-            mAllowSpeculativeConnectOnLoopback = cVar;
-        }
-    }
-
     // Whether or not to block requests for non head js/css items (e.g. media)
     // while those elements load.
     if (PREF_CHANGED(HTTP_PREF("rendering-critical-requests-prioritization"))) {
         rv = prefs->GetBoolPref(HTTP_PREF("rendering-critical-requests-prioritization"), &cVar);
         if (NS_SUCCEEDED(rv))
             mCriticalRequestPrioritization = cVar;
     }
 
--- a/netwerk/protocol/http/nsHttpHandler.h
+++ b/netwerk/protocol/http/nsHttpHandler.h
@@ -104,17 +104,16 @@ public:
     uint32_t       SpdySendingChunkSize() { return mSpdySendingChunkSize; }
     uint32_t       SpdySendBufferSize()      { return mSpdySendBufferSize; }
     uint32_t       SpdyPushAllowance()       { return mSpdyPushAllowance; }
     PRIntervalTime SpdyPingThreshold() { return mSpdyPingThreshold; }
     PRIntervalTime SpdyPingTimeout() { return mSpdyPingTimeout; }
     bool           AllowPush()   { return mAllowPush; }
     uint32_t       ConnectTimeout()  { return mConnectTimeout; }
     uint32_t       ParallelSpeculativeConnectLimit() { return mParallelSpeculativeConnectLimit; }
-    bool           AllowSpeculativeConnectOnLoopback() { return mAllowSpeculativeConnectOnLoopback; }
     bool           CriticalRequestPrioritization() { return mCriticalRequestPrioritization; }
     double         BypassCacheLockThreshold() { return mBypassCacheLockThreshold; }
 
     uint32_t       MaxConnectionsPerOrigin() { return mMaxPersistentConnectionsPerServer; }
     bool           UseRequestTokenBucket() { return mRequestTokenBucketEnabled; }
     uint16_t       RequestTokenBucketMinParallelism() { return mRequestTokenBucketMinParallelism; }
     uint32_t       RequestTokenBucketHz() { return mRequestTokenBucketHz; }
     uint32_t       RequestTokenBucketBurst() {return mRequestTokenBucketBurst; }
@@ -224,16 +223,19 @@ public:
     // The HTTP handler caches pointers to specific XPCOM services, and
     // provides the following helper routines for accessing those services:
     //
     nsresult GetStreamConverterService(nsIStreamConverterService **);
     nsresult GetIOService(nsIIOService** service);
     nsICookieService * GetCookieService(); // not addrefed
     nsISiteSecurityService * GetSSService();
 
+    // callable from socket thread only
+    uint32_t Get32BitsOfPseudoRandom();
+
     // Called by the channel synchronously during asyncOpen
     void OnOpeningRequest(nsIHttpChannel *chan)
     {
         NotifyObservers(chan, NS_HTTP_ON_OPENING_REQUEST_TOPIC);
     }
 
     // Called by the channel before writing a request
     void OnModifyRequest(nsIHttpChannel *chan)
@@ -475,19 +477,16 @@ private:
     // The maximum amount of time the nsICacheSession lock can be held
     // before a new transaction bypasses the cache. In milliseconds.
     double         mBypassCacheLockThreshold;
 
     // The maximum number of current global half open sockets allowable
     // when starting a new speculative connection.
     uint32_t       mParallelSpeculativeConnectLimit;
 
-    // Allow speculative connections on loopback. Primarily for testing.
-    bool           mAllowSpeculativeConnectOnLoopback;
-
     // For Rate Pacing of HTTP/1 requests through a netwerk/base/src/EventTokenBucket
     // Active requests <= *MinParallelism are not subject to the rate pacing
     bool           mRequestTokenBucketEnabled;
     uint16_t       mRequestTokenBucketMinParallelism;
     uint32_t       mRequestTokenBucketHz;  // EventTokenBucket HZ
     uint32_t       mRequestTokenBucketBurst; // EventTokenBucket Burst
 
     // Whether or not to block requests for non head js/css items (e.g. media)
--- a/netwerk/protocol/http/nsHttpTransaction.cpp
+++ b/netwerk/protocol/http/nsHttpTransaction.cpp
@@ -627,25 +627,16 @@ nsHttpTransaction::ReadSegments(nsAHttpS
         return mStatus;
     }
 
     if (!mConnected) {
         mConnected = true;
         mConnection->GetSecurityInfo(getter_AddRefs(mSecurityInfo));
     }
 
-    // Verify permission to load from private (RFC1918-like) addresses.
-    if (!(mCaps & NS_HTTP_ALLOW_PRIVATE_IP_ADDRESSES) &&
-        mConnection->PeerHasPrivateIP()) {
-        LOG(("nsHttpTransaction::ReadSegments %p private IPs forbidden; "
-             "closing transaction.", this));
-        Close(NS_ERROR_CONNECTION_REFUSED);
-        return NS_ERROR_CONNECTION_REFUSED;
-    }
-
     mReader = reader;
 
     nsresult rv = mRequestStream->ReadSegments(ReadRequestSegment, this, count, countRead);
 
     mReader = nullptr;
 
     // if read would block then we need to AsyncWait on the request stream.
     // have callback occur on socket thread so we stay synchronized.
--- a/netwerk/test/unit/test_httpResponseTimeout.js
+++ b/netwerk/test/unit/test_httpResponseTimeout.js
@@ -38,16 +38,20 @@ TimeoutListener.prototype = {
     } else {
       do_check_eq(status, Cr.NS_ERROR_NET_TIMEOUT);
     }
 
     run_next_test();
   },
 };
 
+function serverStopListener() {
+  do_test_finished();
+}
+
 function testTimeout(timeoutEnabled, expectResponse) {
   // Set timeout pref.
   if (timeoutEnabled) {
     prefService.setIntPref(kResponseTimeoutPref, kResponseTimeout);
   } else {
     prefService.setIntPref(kResponseTimeoutPref, 0);
   }
 
@@ -128,33 +132,30 @@ function setup_tests() {
   for (var i=0; i < tests.length; i++) {
     add_test(tests[i]);
   }
 }
 
 function setup_http_server() {
   // Start server; will be stopped at test cleanup time.
   server.start(-1);
-  baseURL = server.identity.primaryScheme + "://" +
-            server.identity.primaryHost + ":" +
-            server.identity.primaryPort + "/";
+  baseURL = "http://localhost:" + server.identity.primaryPort + "/";
   do_print("Using baseURL: " + baseURL);
-
   server.registerPathHandler('/', function(metadata, response) {
     // Wait until the timeout should have passed, then respond.
     response.processAsync();
 
     do_timeout((kResponseTimeout+1)*1000 /* ms */, function() {
       response.setStatusLine(metadata.httpVersion, 200, "OK");
       response.write("Hello world");
       response.finish();
     });
   });
   do_register_cleanup(function() {
-    server.stop(function() {});
+    server.stop(serverStopListener);
   });
 }
 
 function run_test() {
   setup_http_server();
 
   setup_tests();
 
deleted file mode 100644
--- a/netwerk/test/unit/test_networkZonePolicy.js
+++ /dev/null
@@ -1,613 +0,0 @@
-/* -*- Mode: javascript; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-Cu.import("resource://testing-common/httpd.js");
-
-var ios = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
-var nzp = Cc["@mozilla.org/network/networkzonepolicy;1"]
-          .createInstance(Ci.nsINetworkZonePolicy);
-// HTTP Server for 'network' requests.
-var httpServ;
-// URI Base for requests.
-var uriBase;
-
-// Listener implements nsIStreamListener.
-//
-// @param expectSuccess  If true, Listener will check for request success.
-//                       If false, Listener will check for failure and ensure
-//                       no onDataAvailable calls are made.
-// @param loadGroupAllows
-//                       Indicates if loadGroup should allow or forbid private
-//                       loads AFTER the response is received. This may be
-//                       changed by the channel based on the type of channel
-//                       load.
-function Listener(expectSuccess, loadGroupAllows) {
-  this._expectSuccess = expectSuccess;
-  this._loadGroupAllows = loadGroupAllows;
-}
-
-Listener.prototype = {
-  _expectSuccess: false,
-  _loadGroupAllows: true,
-  _buffer: null,
-
-  QueryInterface: function(iid) {
-    if (iid.equals(Components.interfaces.nsIStreamListener) ||
-        iid.equals(Components.interfaces.nsIRequestObserver) ||
-        iid.equals(Components.interfaces.nsISupports))
-      return this;
-    throw Components.results.NS_ERROR_NO_INTERFACE;
-  },
-
-  onStartRequest: function(request, ctx) {
-    do_check_true(request instanceof Ci.nsIHttpChannel);
-    if (this._expectSuccess) {
-      do_check_true(Components.isSuccessCode(request.status));
-      do_check_eq(request.requestSucceeded, true);
-      do_check_eq(request.responseStatus, 200);
-      request.visitResponseHeaders({ visitHeader: function(aHeader, aValue) {
-        do_print(aHeader + ": " + aValue);
-      }});
-      do_print(request.responseStatus + ": " + request.responseStatusText);
-      this._buffer = "";
-    } else {
-      do_check_false(Components.isSuccessCode(request.status));
-    }
-  },
-
-  onDataAvailable: function(request, ctx, stream, off, cnt) {
-    do_check_true(request instanceof Ci.nsIHttpChannel);
-    if (!this._expectSuccess) {
-      do_throw("Should not get data; private load forbidden!");
-    }
-    this._buffer = this._buffer.concat(read_stream(stream, cnt));
-  },
-
-  onStopRequest: function(request, ctx, status) {
-    do_check_true(request instanceof Ci.nsIHttpChannel);
-    // Check loadgroup permission has not changed.
-    do_check_eq(request.loadGroup.allowLoadsFromPrivateNetworks,
-                this._loadGroupAllows);
-
-    if (this._expectSuccess) {
-      do_check_true(Components.isSuccessCode(status));
-    } else {
-      do_check_false(Components.isSuccessCode(status));
-    }
-    run_next_test();
-  }
-};
-
-//
-// Test Functions
-//
-
-// Ensure that the pref enables and disables private load restrictions.
-function test_basic_NetworkZonePolicy_pref() {
-  // Create loadgroup and channel for non-doc load.
-  var loadGroup = Cc["@mozilla.org/network/load-group;1"]
-                  .createInstance(Ci.nsILoadGroup);
-  var chan = ios.newChannel("http://localhost/failme/", null, null)
-             .QueryInterface(Ci.nsIHttpChannel);
-  chan.loadGroup = loadGroup;
-
-  // Verify that we're starting with the pref enabled. This should have been set
-  // during this scripts setup phase.
-  var prefs = Cc["@mozilla.org/preferences-service;1"]
-              .getService(Ci.nsIPrefBranch);
-  var nzpEnabled = prefs.getBoolPref("network.zonepolicy.enabled");
-  do_check_true(nzpEnabled);
-
-  // Verify defaults
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-
-  // Set permission for doc load; verify permission changed.
-  chan.loadFlags |= Ci.nsIChannel.LOAD_DOCUMENT_URI;
-
-  nzp.setPrivateNetworkPermission(chan, false);
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, false);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), false);
-
-  // Disable pref; ensure restrictions lifted.
-  prefs.setBoolPref("network.zonepolicy.enabled", false);
-  // Loadgroup permission will still be "forbid private loads".
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, false);
-  // NZP will report that private loads are ok.
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-
-  // Enable pref again; ensure restrictions are again in play.
-  prefs.setBoolPref("network.zonepolicy.enabled", true);
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, false);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), false);
-
-  // Leaving pref on for the remainder of the tests.
-
-  run_next_test();
-}
-
-// Ensure that NetworkZonePolicy can manage permissions for a channel's
-// loadgroup; no loadgroup ancestors.
-function test_basic_NetworkZonePolicy_and_loadGroup() {
-  // Create loadgroup and channel for non-doc load.
-  var loadGroup = Cc["@mozilla.org/network/load-group;1"]
-                  .createInstance(Ci.nsILoadGroup);
-  var chan = ios.newChannel("http://localhost/failme/", null, null)
-             .QueryInterface(Ci.nsIHttpChannel);
-  chan.loadGroup = loadGroup;
-
-  // Verify defaults
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-
-  // Set permission for non-doc load; verify no changes.
-  nzp.setPrivateNetworkPermission(chan, false);
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-
-  // Set permission for doc load; verify permission changed.
-  chan.loadFlags |= Ci.nsIChannel.LOAD_DOCUMENT_URI;
-
-  nzp.setPrivateNetworkPermission(chan, false);
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, false);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), false);
-
-  run_next_test();
-}
-
-// Ensure that NetworkZonePolicy can manage permissions for a channel's
-// loadgroup and one of its ancestors. Ancestor is specified by calling
-// function.
-function test_loadGroup_and_ancestor(loadGroup, ancestor, chan) {
-  // Verify permission defaults
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(ancestor.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-
-  // Set permission for non-doc load; verify no changes.
-  nzp.setPrivateNetworkPermission(chan, false);
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(ancestor.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-
-  // Set permission for doc load; verify permission changed for loadgroup, but
-  // not for ancestor loadgroup.
-  chan.loadFlags |= Ci.nsIChannel.LOAD_DOCUMENT_URI;
-
-  nzp.setPrivateNetworkPermission(chan, false);
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, false);
-  do_check_eq(ancestor.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), false);
-
-  // Verify we can set permission allowed again.
-  nzp.setPrivateNetworkPermission(chan, true);
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(ancestor.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-
-  // Set ancestor to forbid private loads; verify chan permission forbidden.
-  ancestor.allowLoadsFromPrivateNetworks = false;
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), false);
-  // ... loadgroup's own persmission should still be allow.
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, true);
-  // ... nzp should not be able to set permission to true.
-  nzp.setPrivateNetworkPermission(chan, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), false);
-
-  // Reset ancestor and verify.
-  ancestor.allowLoadsFromPrivateNetworks = true;
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-  nzp.setPrivateNetworkPermission(chan, false);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), false);
-}
-
-// Ensure that NetworkZonePolicy can manage permissions for a channel's
-// loadgroup; loadgroup has a parent loadgroup.
-function test_basic_NetworkZonePolicy_loadGroup_and_parent() {
-  // Create loadgroup, parent loadgroup and channel for non-doc load.
-  var loadGroup = Cc["@mozilla.org/network/load-group;1"]
-                  .createInstance(Ci.nsILoadGroup);
-  var loadGroupAsChild = loadGroup.QueryInterface(Ci.nsILoadGroupChild)
-  var chan = ios.newChannel("http://localhost/failme/", null, null)
-             .QueryInterface(Ci.nsIHttpChannel);
-  chan.loadGroup = loadGroup;
-
-  var parent = Cc["@mozilla.org/network/load-group;1"]
-               .createInstance(Ci.nsILoadGroup);
-  loadGroupAsChild.parentLoadGroup = parent;
-  do_check_eq(parent, loadGroupAsChild.parentLoadGroup);
-
-  test_loadGroup_and_ancestor(loadGroup, parent, chan);
-
-  run_next_test();
-}
-
-// Ensure that NetworkZonePolicy can manage permissions for a channel's
-// loadgroup; loadgroup is member of another loadgroup.
-function test_basic_NetworkZonePolicy_loadGroup_and_owner() {
-  // Create loadgroup, parent loadgroup and channel for non-doc load.
-  var loadGroup = Cc["@mozilla.org/network/load-group;1"]
-                  .createInstance(Ci.nsILoadGroup);
-  var chan = ios.newChannel("http://localhost/failme/", null, null)
-             .QueryInterface(Ci.nsIHttpChannel);
-  chan.loadGroup = loadGroup;
-
-  var owner = Cc["@mozilla.org/network/load-group;1"]
-              .createInstance(Ci.nsILoadGroup);
-  loadGroup.loadGroup = owner;
-  do_check_eq(owner, loadGroup.loadGroup);
-
-  test_loadGroup_and_ancestor(loadGroup, owner, chan);
-
-  run_next_test();
-}
-
-// Ensure that NetworkZonePolicy can manage permissions for a channel's
-// loadgroup; loadgroup is a docshell loadgroup that has a parent docshell.
-function test_basic_NetworkZonePolicy_loadGroup_and_docshell() {
-  // Create docshell and docshell parent, and get their loadgroups.
-  var docShell = Cc["@mozilla.org/docshell;1"].createInstance(Ci.nsIDocShell);
-
-  var docShellParent = Cc["@mozilla.org/docshell;1"]
-                       .createInstance(Ci.nsIDocShell);
-  docShellParent.addChild(docShell);
-
-  var loadGroup = docShell.QueryInterface(Ci.nsIDocumentLoader).loadGroup;
-  var dsParent = docShellParent.QueryInterface(Ci.nsIDocumentLoader).loadGroup;
-
-  // Create a channel for non-doc load.
-  var chan = ios.newChannel("http://localhost/failme/", null, null)
-             .QueryInterface(Ci.nsIHttpChannel);
-  chan.loadGroup = loadGroup;
-
-  test_loadGroup_and_ancestor(loadGroup, dsParent, chan);
-
-  run_next_test();
-}
-
-// Ensure that a loadgroup's immediate ancestors dictate its private load
-// permissions.
-function test_loadGroup_immediate_ancestors() {
-  // Create docshell and docshell parent, and get their loadgroups.
-  var docShell = Cc["@mozilla.org/docshell;1"].createInstance(Ci.nsIDocShell);
-  var docShellParent = Cc["@mozilla.org/docshell;1"]
-                       .createInstance(Ci.nsIDocShell);
-  docShellParent.addChild(docShell);
-
-  var loadGroup = docShell.QueryInterface(Ci.nsIDocumentLoader).loadGroup;
-  var dsParent = docShellParent.QueryInterface(Ci.nsIDocumentLoader).loadGroup;
-
-  // Add owning loadgroup.
-  var owner = Cc["@mozilla.org/network/load-group;1"]
-              .createInstance(Ci.nsILoadGroup);
-  loadGroup.loadGroup = owner;
-  do_check_eq(owner, loadGroup.loadGroup);
-
-  // Add parent loadgroup.
-  var loadGroupAsChild = loadGroup.QueryInterface(Ci.nsILoadGroupChild)
-  var parent = Cc["@mozilla.org/network/load-group;1"]
-               .createInstance(Ci.nsILoadGroup);
-  loadGroupAsChild.parentLoadGroup = parent;
-  do_check_eq(parent, loadGroupAsChild.parentLoadGroup);
-
-  // Create a channel for non-doc load.
-  var chan = ios.newChannel("http://localhost/failme/", null, null)
-             .QueryInterface(Ci.nsIHttpChannel);
-  chan.loadGroup = loadGroup;
-
-  // Verify permission defaults
-  do_check_eq(loadGroup.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(dsParent.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(owner.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(parent.allowLoadsFromPrivateNetworks, true);
-  do_check_eq(nzp.checkPrivateNetworkPermission(chan), true);
-
-  // Set ancestors to forbid.
-  for (var i = 0; i < 8; i++) {
-    dsParent.allowLoadsFromPrivateNetworks = !!(i & 1);
-    owner.allowLoadsFromPrivateNetworks = !!(i & 2);
-    parent.allowLoadsFromPrivateNetworks = !!(i & 4);
-    // Permission allowed only when all ancestors allow private loads.
-    do_check_eq(nzp.checkPrivateNetworkPermission(chan), (i == 7));
-  }
-
-  run_next_test();
-}
-
-// Checks a channel load based on its loadgroup private load permissions.
-//
-// @param allowPrivateLoads  Indicates if private loads should be allowed on
-//                           the channel's loadgroup or not.
-// @param expectSuccessfulResponse
-//                           Indicates if the nsIStreamListener for the channel
-//                           load should expect a response with success or
-//                           failure.
-// @param urlStr             The url that should be loaded by the channel.
-//
-function test_single_loadGroup(allowPrivateLoads,
-                               expectSuccessfulResponse,
-                               urlStr) {
-  // Create loadgroup and channel for non-doc load.
-  var loadGroup = Cc["@mozilla.org/network/load-group;1"]
-                  .createInstance(Ci.nsILoadGroup);
-  var chan = ios.newChannel(urlStr, null, null)
-             .QueryInterface(Ci.nsIHttpChannel);
-  chan.loadGroup = loadGroup;
-
-  do_print("Setting loadgroup permission: " +
-           (allowPrivateLoads ? "Allowing" : "Forbidding") +
-           " private loads for " + urlStr + ".");
-  loadGroup.allowLoadsFromPrivateNetworks = allowPrivateLoads;
-
-  // Try to load channel with IP literal. For non-doc loads like this, load
-  // group permissions should not change after the response is received.
-  var listener = new Listener(expectSuccessfulResponse, allowPrivateLoads);
-  chan.asyncOpen(listener, null);
-}
-
-// Same as test_single_loadGroup but for a document load.
-function test_single_loadGroup_doc_load(allowPrivateLoads,
-                                        expectSuccessfulResponse,
-                                        loadGroupAllowsAfter,
-                                        urlStr) {
-  // Create loadgroup and channel for document load.
-  var loadGroup = Cc["@mozilla.org/network/load-group;1"]
-                  .createInstance(Ci.nsILoadGroup);
-  var chan = ios.newChannel(urlStr, null, null)
-             .QueryInterface(Ci.nsIHttpChannel);
-  chan.loadGroup = loadGroup;
-  chan.loadFlags |= Ci.nsIChannel.LOAD_DOCUMENT_URI;
-
-  do_print("Setting loadgroup permission: " +
-           (allowPrivateLoads ? "Allowing" : "Forbidding") +
-           " private loads for doc load " + urlStr + ".");
-  loadGroup.allowLoadsFromPrivateNetworks = allowPrivateLoads;
-
-  // Try to load channel with IP literal.
-  var listener = new Listener(expectSuccessfulResponse, loadGroupAllowsAfter);
-  chan.asyncOpen(listener, null);
-}
-
-function prime_cache_entry(uri, isPrivate, networkID, onEntryPrimed) {
-  do_print("Priming cache with a " + (isPrivate ? "private" : "public") +
-           " entry.");
-
-  var fakeResponseHead = "HTTP/1.1 200 OK\r\n" +
-                         "Content-Type: text/plain\r\n" +
-                         "Server: httpd.js\r\n" +
-                         "Date: " + (new Date()).toString() + "\r\n";
-
-  asyncOpenCacheEntry(uri, "disk", Ci.nsICacheStorage.OPEN_TRUNCATE, null,
-    new OpenCallback(NEW, "a1m", "a1d", function(entry) {
-      do_print("Created " + (isPrivate ? "private" : "public") + " entry");
-      entry.setMetaDataElement("request-method", "GET");
-      entry.setMetaDataElement("response-head", fakeResponseHead);
-      if (isPrivate) {
-        entry.setMetaDataElement("loaded-from-private-network", networkID);
-      }
-      do_print("Added metadata");
-      asyncOpenCacheEntry(uri, "disk", Ci.nsICacheStorage.OPEN_NORMALLY, null,
-        new OpenCallback(NORMAL, "a1m", "a1d", function(entry) {
-          do_print("Verifying " + (isPrivate ? "private" : "public") +
-                   " entry created");
-          if (isPrivate) {
-            do_check_eq(entry.getMetaDataElement("loaded-from-private-network"),
-                        networkID);
-          }
-
-          do_print((isPrivate ? "Private" : "Public") + " cache entry primed.");
-          onEntryPrimed();
-        })
-      );
-    })
-  );
-}
-
-// Create a private cache entry; if private loads are allowed, the entry will
-// be accepted. If not, the entry will be rejected, but since the server is
-// localhost the network load should also be rejected.
-function test_private_cached_entry_same_network(privateLoadAllowed) {
-  var uri = uriBase + "/failme/";
-  prime_cache_entry(uri, true, ios.networkLinkID, function() {
-    test_single_loadGroup(privateLoadAllowed, privateLoadAllowed, uri);
-  });
-}
-
-// Create a private cache entry; if private loads are allowed, the entry will
-// be accepted. If not, the entry will be rejected, but since the server is
-// localhost the network load should also be rejected.
-// LoadGroup permissions should not change after response.
-function test_private_cached_entry_same_network_doc_load(privateLoadAllowed) {
-  var uri = uriBase + "/failme/";
-  prime_cache_entry(uri, true, ios.networkLinkID, function() {
-    test_single_loadGroup_doc_load(privateLoadAllowed,
-                                   privateLoadAllowed,
-                                   privateLoadAllowed,
-                                   uri);
-  });
-}
-
-// UUID to fake a load on a different private network.
-var fakeNetworkID = "{86437A10-658B-4637-8D41-9B3693F72762}";
-
-// Ensure that privately cached entries from different networks than the current
-// one are not loaded.
-function test_private_cached_entry_diff_network(privateLoadAllowed) {
-  // We should bypass the cache entry since it was created on a different
-  // network. As such, use /passme for private loads allowed, and /failme for
-  // private loads forbidden.
-  var uri = uriBase + (privateLoadAllowed ? "/passme/" : "/failme/");
-  prime_cache_entry(uri, true, fakeNetworkID, function() {
-    test_single_loadGroup(privateLoadAllowed, privateLoadAllowed, uri);
-  });
-}
-
-// Ensure that privately cached entries from different networks than the current
-// one are not loaded; doc load.
-function test_private_cached_entry_diff_network_doc_load(privateLoadAllowed) {
-  // We should bypass the cache entry since it was created on a different
-  // network. As such, use /passme for private loads allowed, and /failme for
-  // private loads forbidden.
-  // LoadGroup permissions should not change after response.
-  var uri = uriBase + (privateLoadAllowed ? "/passme/" : "/failme/");
-  prime_cache_entry(uri, true, fakeNetworkID, function() {
-    test_single_loadGroup_doc_load(privateLoadAllowed,
-                                   privateLoadAllowed,
-                                   privateLoadAllowed,
-                                   uri);
-  });
-}
-
-// Ensure that publicly cached entries are always loaded.
-function test_public_cached_entry(privateCacheEntryAllowed) {
-  var uri = uriBase + "/failme/";
-  prime_cache_entry(uri, false, null, function() {
-    test_single_loadGroup(privateCacheEntryAllowed, true, uri);
-  });
-}
-
-// Ensure that publicly cached entries are always loaded; doc loads.
-function test_public_cached_entry_doc_load(privateCacheEntryAllowed) {
-  // Create a public cache entry for /failme; the entry should be accepted and
-  // we should not go to the network.
-  // LoadGroup permissions should forbid private loads after response.
-  var uri = uriBase + "/failme/";
-  prime_cache_entry(uri, false, null, function() {
-    test_single_loadGroup_doc_load(privateCacheEntryAllowed, true, false, uri);
-  });
-}
-
-//
-// Initialization
-//
-
-// Setup HTTP server to handle for http://localhost/passme/ and
-// http://localhost/failme/. Requests received by /failme/ will cause the test
-// script to fail. Thus, it is used to verify that specific request do not go
-// to the network.
-function setup_http_server() {
-  httpServ = new HttpServer();
-
-  httpServ.registerPathHandler("/passme/", function (metadata, response) {
-    do_print("Received request on http://localhost/passme/");
-    var httpbody = "0123456789";
-    response.setStatusLine(metadata.httpVersion, 200, "OK");
-    response.setHeader("Content-Type", "text/plain", false);
-    response.bodyOutputStream.write(httpbody, httpbody.length);
-  });
-
-  httpServ.registerPathHandler("/failme/", function (metadata, response) {
-    do_throw("http://localhost/failme/ should not not receive requests!");
-  });
-  httpServ.start(-1);
-
-  do_register_cleanup(function() {
-    httpServ.stop(function() {});
-  });
-
-  do_print("Started HTTP Server on " +
-           httpServ.identity.primaryScheme + "://" +
-           httpServ.identity.primaryHost + ":" +
-           httpServ.identity.primaryPort);
-}
-
-function setup_and_add_tests() {
-  // Get profile for disk caching.
-  do_get_profile();
-
-  // Run tests with NetworkZonePolicy enabled; set pref back to default after
-  // tests complete.
-  {
-    var prefs = Cc["@mozilla.org/preferences-service;1"]
-                .getService(Ci.nsIPrefBranch);
-    if (!prefs.getBoolPref("network.zonepolicy.enabled")) {
-      prefs.setBoolPref("network.zonepolicy.enabled", true);
-      do_register_cleanup(function() {
-        prefs.setBoolPref("network.zonepolicy.enabled", false);
-      });
-    }
-  }
-
-  uriBase = httpServ.identity.primaryScheme + "://" +
-            httpServ.identity.primaryHost + ":" +
-            httpServ.identity.primaryPort;
-
-  var tests = [
-    // Basic pref test.
-    test_basic_NetworkZonePolicy_pref,
-
-    // Verify NetworkZonePolicy can manage loadgroup permisssions.
-    test_basic_NetworkZonePolicy_and_loadGroup,
-    test_basic_NetworkZonePolicy_loadGroup_and_parent,
-    test_basic_NetworkZonePolicy_loadGroup_and_owner,
-    test_basic_NetworkZonePolicy_loadGroup_and_docshell,
-    test_loadGroup_immediate_ancestors,
-
-    // Private (localhost) network requests.
-    function test_network_private_allowed() {
-      test_single_loadGroup(true, true, uriBase + "/passme/"); },
-    function test_network_private_forbidden() {
-      test_single_loadGroup(false, false, uriBase + "/failme/"); },
-
-    // Private (localhost) network requests for document loads.
-    function test_network_private_allowed_doc_load() {
-      test_single_loadGroup_doc_load(true, true, true, uriBase + "/passme/"); },
-    function test_network_private_forbidden_doc_load() {
-      test_single_loadGroup_doc_load(false, false, false, uriBase + "/failme/"); },
-
-    // Private cache entries; same network.
-    function test_private_cache_same_network_private_allowed() {
-      test_private_cached_entry_same_network(true); },
-    function test_private_cache_same_network_private_forbidden() {
-      test_private_cached_entry_same_network(false); },
-
-    // Private cache entries; same network; doc load.
-    function test_private_cache_same_network_private_allowed_doc_load() {
-      test_private_cached_entry_same_network_doc_load(true); },
-    function test_private_cache_same_network_private_forbidden_doc_load() {
-      test_private_cached_entry_same_network_doc_load(false); },
-
-    // Private cache entries, different network.
-    function test_private_cache_diff_network_private_allowed() {
-      test_private_cached_entry_diff_network(true); },
-    function test_private_cache_diff_network_private_forbidden() {
-      test_private_cached_entry_diff_network(false); },
-
-    // Private cache entries, different network; doc load.
-    function test_private_cache_diff_network_private_allowed_doc_load() {
-      test_private_cached_entry_diff_network_doc_load(true); },
-    function test_private_cache_diff_network_private_forbidden_doc_load() {
-      test_private_cached_entry_diff_network_doc_load(false); },
-
-    // Public cache entries.
-    function test_public_cache_private_allowed() {
-      test_public_cached_entry(true); },
-    function test_public_cache_private_forbidden() {
-      test_public_cached_entry(false); },
-
-    // Public cache entries for document loads.
-    function test_public_cache_private_allowed_doc_load() {
-      test_public_cached_entry_doc_load(true); },
-    function test_public_cache_private_forbidden_doc_load() {
-      test_public_cached_entry_doc_load(false); }
-  ];
-
-  tests.forEach(function(test) {
-    add_test(test);
-  });
-
-  do_print("Added tests.");
-}
-
-function run_test() {
-  setup_http_server();
-
-  setup_and_add_tests();
-
-  run_next_test();
-}
--- a/netwerk/test/unit/test_speculative_connect.js
+++ b/netwerk/test/unit/test_speculative_connect.js
@@ -114,19 +114,17 @@ TestOutputStreamCallback.prototype = {
                     do_check_true(e.result == Cr.NS_ERROR_NET_TIMEOUT ||
                                   e.result == Cr.NS_ERROR_PROXY_CONNECTION_REFUSED);
                 } else {
                     do_check_true(e.result == Cr.NS_ERROR_NET_TIMEOUT ||
                                   e.result == Cr.NS_ERROR_CONNECTION_REFUSED);
                 }
             } else {
                 // A refusal to connect speculatively should throw an error.
-                do_check_true(e.result == Cr.NS_ERROR_UNKNOWN_HOST ||
-                              e.result == Cr.NS_ERROR_UNKNOWN_PROXY_HOST ||
-                              e.result == Cr.NS_ERROR_CONNECTION_REFUSED);
+                do_check_eq(e.result, Cr.NS_ERROR_CONNECTION_REFUSED);
             }
             this.transport.close(Cr.NS_BINDING_ABORTED);
             this.next();
             return;
         }
         // Spec Connect SUCCEEDED.
         if (this.expectSuccess) {
             do_check_true(true, "Success for " + this.hostname);
@@ -318,27 +316,15 @@ function next_test() {
     testList[testIdx++]();
 }
 
 /** run_test
  *
  * Main entry function for test execution.
  */
 function run_test() {
-    // Enable speculative connects on loopback for testing.
-    {
-        var prefs = Cc["@mozilla.org/preferences-service;1"]
-                    .getService(Ci.nsIPrefBranch);
-        if (!prefs.getBoolPref("network.http.speculative.allowLoopback")) {
-            prefs.setBoolPref("network.http.speculative.allowLoopback", true);
-            do_register_cleanup(function() {
-                prefs.setBoolPref("network.http.speculative.allowLoopback", false);
-            });
-        }
-    }
-
     ios = Cc["@mozilla.org/network/io-service;1"]
         .getService(Ci.nsIIOService);
 
     do_test_pending();
     next_test();
 }
 
--- a/netwerk/test/unit/xpcshell.ini
+++ b/netwerk/test/unit/xpcshell.ini
@@ -231,34 +231,31 @@ skip-if = os == "android"
 skip-if = os == "android"
 [test_head.js]
 [test_header_Accept-Language.js]
 [test_headers.js]
 [test_http_headers.js]
 [test_httpauth.js]
 [test_httpcancel.js]
 [test_httpResponseTimeout.js]
-# Bug 354493: fails on Android, but feature disabled by default.
-skip-if = os == "android"
 [test_httpsuspend.js]
 [test_idnservice.js]
 [test_idn_urls.js]
 [test_invalidport.js]
 [test_localstreams.js]
 [test_mismatch_last-modified.js]
 [test_MIME_params.js]
 [test_mozTXTToHTMLConv.js]
 [test_multipart_byteranges.js]
 [test_multipart_streamconv.js]
 [test_multipart_streamconv_missing_lead_boundary.js]
 [test_nestedabout_serialize.js]
 [test_net_addr.js]
 # Bug 732363: test fails on windows for unknown reasons.
 skip-if = os == "win"
-[test_networkZonePolicy.js]
 [test_nojsredir.js]
 [test_offline_status.js]
 [test_parse_content_type.js]
 [test_permmgr.js]
 [test_plaintext_sniff.js]
 [test_post.js]
 [test_private_necko_channel.js]
 # Bug 675039: intermittent fail on Android-armv6