Backed out 2 changesets (bug 1336867) for (at least) eslint failures
authorPhil Ringnalda <philringnalda@gmail.com>
Thu, 09 Feb 2017 19:02:32 -0800
changeset 388390 e9cc5acc8481aba4c28128309fffece2b00129f7
parent 388389 b209aadec5648cf28b08c548dd47f42f558b0dce
child 388391 b9f44b5a9ce19fd7957e6f53c7ef3a677bde7761
push id7198
push userjlorenzo@mozilla.com
push dateTue, 18 Apr 2017 12:07:49 +0000
treeherdermozilla-beta@d57aa49c3948 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1336867
milestone54.0a1
backs out0a4f283638cb37563a517fb34e7e0f3e43b80a7a
837766805d752810f2cb8481caf3ce974d4841e0
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 2 changesets (bug 1336867) for (at least) eslint failures CLOSED TREE Backed out changeset 0a4f283638cb (bug 1336867) Backed out changeset 837766805d75 (bug 1336867)
browser/base/content/browser.js
devtools/client/debugger/new/debugger.js
devtools/shared/webconsole/network-helper.js
security/manager/ssl/SSLServerCertVerification.cpp
security/manager/ssl/nsISiteSecurityService.idl
security/manager/ssl/nsSiteSecurityService.cpp
security/manager/ssl/nsSiteSecurityService.h
security/manager/ssl/tests/gtest/STSParserTest.cpp
security/manager/ssl/tests/gtest/moz.build
security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js
security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing_perwindowpb.html
security/manager/ssl/tests/unit/sss_readstate_child_worker.js
security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
security/manager/ssl/tests/unit/test_pinning_dynamic.js
security/manager/ssl/tests/unit/test_pinning_header_parsing.js
security/manager/ssl/tests/unit/test_sss_eviction.js
security/manager/ssl/tests/unit/test_sss_readstate.js
security/manager/ssl/tests/unit/test_sss_readstate_empty.js
security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
security/manager/ssl/tests/unit/test_sss_readstate_huge.js
security/manager/ssl/tests/unit/test_sts_fqdn.js
security/manager/ssl/tests/unit/test_sts_holepunch.js
security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
security/manager/ssl/tests/unit/test_sts_parser.js
security/manager/ssl/tests/unit/test_sts_preload_dynamic.js
security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
security/manager/ssl/tests/unit/xpcshell.ini
services/common/tests/unit/test_blocklist_pinning.js
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -3271,25 +3271,25 @@ function getDetailedCertErrorInfo(locati
   let errors = Cc["@mozilla.org/nss_errors_service;1"]
                   .getService(Ci.nsINSSErrorsService);
 
   certErrorDetails += "\r\n\r\n" + errors.getErrorMessage(errors.getXPCOMFromNSSError(code));
 
   const sss = Cc["@mozilla.org/ssservice;1"]
                  .getService(Ci.nsISiteSecurityService);
   // SiteSecurityService uses different storage if the channel is
-  // private. Thus we must give isSecureURI correct flags or we
+  // private. Thus we must give isSecureHost correct flags or we
   // might get incorrect results.
   let flags = PrivateBrowsingUtils.isWindowPrivate(window) ?
               Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0;
 
   let uri = Services.io.newURI(location);
 
-  let hasHSTS = sss.isSecureURI(sss.HEADER_HSTS, uri, flags);
-  let hasHPKP = sss.isSecureURI(sss.HEADER_HPKP, uri, flags);
+  let hasHSTS = sss.isSecureHost(sss.HEADER_HSTS, uri.host, flags);
+  let hasHPKP = sss.isSecureHost(sss.HEADER_HPKP, uri.host, flags);
   certErrorDetails += "\r\n\r\n" +
                       gNavigatorBundle.getFormattedString("certErrorDetailsHSTS.label",
                                                           [hasHSTS]);
   certErrorDetails += "\r\n" +
                       gNavigatorBundle.getFormattedString("certErrorDetailsKeyPinning.label",
                                                           [hasHPKP]);
 
   let certChain = "";
--- a/devtools/client/debugger/new/debugger.js
+++ b/devtools/client/debugger/new/debugger.js
@@ -8956,29 +8956,25 @@ var Debugger =
 	
 	      // HSTS and HPKP if available.
 	      if (httpActivity.hostname) {
 	        const sss = Cc("@mozilla.org/ssservice;1")
 	                      .getService(Ci.nsISiteSecurityService);
 	
 	
 	        // SiteSecurityService uses different storage if the channel is
-	        // private. Thus we must give isSecureURI correct flags or we
+	        // private. Thus we must give isSecureHost correct flags or we
 	        // might get incorrect results.
 	        let flags = (httpActivity.private) ?
 	                      Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0;
 	
-                if (!uri) {
-                  // isSecureURI only cares about the host, not the scheme.
-                  let host = httpActivity.hostname;
-                  uri = Services.io.newURI("https://" + host);
-                }
-
-	        info.hsts = sss.isSecureURI(sss.HEADER_HSTS, uri, flags);
-	        info.hpkp = sss.isSecureURI(sss.HEADER_HPKP, uri, flags);
+	        let host = httpActivity.hostname;
+	
+	        info.hsts = sss.isSecureHost(sss.HEADER_HSTS, host, flags);
+	        info.hpkp = sss.isSecureHost(sss.HEADER_HPKP, host, flags);
 	      } else {
 	        DevToolsUtils.reportException("NetworkHelper.parseSecurityInfo",
 	          "Could not get HSTS/HPKP status as hostname is not available.");
 	        info.hsts = false;
 	        info.hpkp = false;
 	      }
 	
 	    } else {
@@ -37651,29 +37647,25 @@ var Debugger =
 	
 	      // HSTS and HPKP if available.
 	      if (httpActivity.hostname) {
 	        const sss = Cc("@mozilla.org/ssservice;1")
 	                      .getService(Ci.nsISiteSecurityService);
 	
 	
 	        // SiteSecurityService uses different storage if the channel is
-	        // private. Thus we must give isSecureURI correct flags or we
+	        // private. Thus we must give isSecureHost correct flags or we
 	        // might get incorrect results.
 	        let flags = (httpActivity.private) ?
 	                      Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0;
 	
-                if (!uri) {
-                  // isSecureURI only cares about the host, not the scheme.
-                  let host = httpActivity.hostname;
-                  uri = Services.io.newURI("https://" + host);
-                }
-
-	        info.hsts = sss.isSecureURI(sss.HEADER_HSTS, uri, flags);
-	        info.hpkp = sss.isSecureURI(sss.HEADER_HPKP, uri, flags);
+	        let host = httpActivity.hostname;
+	
+	        info.hsts = sss.isSecureHost(sss.HEADER_HSTS, host, flags);
+	        info.hpkp = sss.isSecureHost(sss.HEADER_HPKP, host, flags);
 	      } else {
 	        DevToolsUtils.reportException("NetworkHelper.parseSecurityInfo",
 	          "Could not get HSTS/HPKP status as hostname is not available.");
 	        info.hsts = false;
 	        info.hpkp = false;
 	      }
 	
 	    } else {
--- a/devtools/shared/webconsole/network-helper.js
+++ b/devtools/shared/webconsole/network-helper.js
@@ -628,29 +628,25 @@ var NetworkHelper = {
       info.cert = this.parseCertificateInfo(SSLStatus.serverCert);
 
       // HSTS and HPKP if available.
       if (httpActivity.hostname) {
         const sss = Cc["@mozilla.org/ssservice;1"]
                       .getService(Ci.nsISiteSecurityService);
 
         // SiteSecurityService uses different storage if the channel is
-        // private. Thus we must give isSecureURI correct flags or we
+        // private. Thus we must give isSecureHost correct flags or we
         // might get incorrect results.
         let flags = (httpActivity.private) ?
                       Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0;
 
-        if (!uri) {
-          // isSecureURI only cares about the host, not the scheme.
-          let host = httpActivity.hostname;
-          uri = Services.io.newURI("https://" + host);
-        }
+        let host = httpActivity.hostname;
 
-        info.hsts = sss.isSecureURI(sss.HEADER_HSTS, uri, flags);
-        info.hpkp = sss.isSecureURI(sss.HEADER_HPKP, uri, flags);
+        info.hsts = sss.isSecureHost(sss.HEADER_HSTS, host, flags);
+        info.hpkp = sss.isSecureHost(sss.HEADER_HPKP, host, flags);
       } else {
         DevToolsUtils.reportException("NetworkHelper.parseSecurityInfo",
           "Could not get HSTS/HPKP status as hostname is not available.");
         info.hsts = false;
         info.hpkp = false;
       }
     } else {
       // The connection failed.
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -506,42 +506,32 @@ CertErrorRunnable::CheckCertOverrides()
   nsCOMPtr<nsISiteSecurityService> sss(do_GetService(NS_SSSERVICE_CONTRACTID));
   if (!sss) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
            ("[%p][%p] couldn't get nsISiteSecurityService to check for HSTS/HPKP\n",
             mFdForLogging, this));
     return new SSLServerCertVerificationResult(mInfoObject,
                                                mDefaultErrorCodeToReport);
   }
-  nsCOMPtr<nsIURI> uri;
-  nsresult nsrv = NS_NewURI(getter_AddRefs(uri),
-                            NS_LITERAL_CSTRING("https://") +
-                            mInfoObject->GetHostName());
-  if (NS_FAILED(nsrv)) {
-    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-            ("[%p][%p] Creating new URI failed\n", mFdForLogging, this));
-    return new SSLServerCertVerificationResult(mInfoObject,
-                                               mDefaultErrorCodeToReport);
-  }
-  nsrv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS,
-                          uri,
-                          mProviderFlags,
-                          nullptr,
-                          &strictTransportSecurityEnabled);
+  nsresult nsrv = sss->IsSecureHost(nsISiteSecurityService::HEADER_HSTS,
+                                    mInfoObject->GetHostName(),
+                                    mProviderFlags,
+                                    nullptr,
+                                    &strictTransportSecurityEnabled);
   if (NS_FAILED(nsrv)) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
            ("[%p][%p] checking for HSTS failed\n", mFdForLogging, this));
     return new SSLServerCertVerificationResult(mInfoObject,
                                                mDefaultErrorCodeToReport);
   }
-  nsrv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HPKP,
-                          uri,
-                          mProviderFlags,
-                          nullptr,
-                          &hasPinningInformation);
+  nsrv = sss->IsSecureHost(nsISiteSecurityService::HEADER_HPKP,
+                           mInfoObject->GetHostName(),
+                           mProviderFlags,
+                           nullptr,
+                           &hasPinningInformation);
   if (NS_FAILED(nsrv)) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
            ("[%p][%p] checking for HPKP failed\n", mFdForLogging, this));
     return new SSLServerCertVerificationResult(mInfoObject,
                                                mDefaultErrorCodeToReport);
   }
 
   if (!strictTransportSecurityEnabled && !hasPinningInformation) {
--- a/security/manager/ssl/nsISiteSecurityService.idl
+++ b/security/manager/ssl/nsISiteSecurityService.idl
@@ -117,30 +117,57 @@ interface nsISiteSecurityService : nsISu
                        in ACString aHeader,
                        in nsISSLStatus aSSLStatus,
                        in uint32_t aFlags,
                        [optional] out unsigned long long aMaxAge,
                        [optional] out boolean aIncludeSubdomains,
                        [optional] out uint32_t aFailureResult);
 
     /**
+     * Same as processHeader but without checking for the security properties
+     * of the connection. Use ONLY for testing.
+     */
+    void unsafeProcessHeader(in uint32_t aType,
+                             in nsIURI aSourceURI,
+                             in ACString aHeader,
+                             in uint32_t aFlags,
+                             [optional] out unsigned long long aMaxAge,
+                             [optional] out boolean aIncludeSubdomains,
+                             [optional] out uint32_t aFailureResult);
+
+    /**
      * Given a header type, removes state relating to that header of a host,
      * including the includeSubdomains state that would affect subdomains.
      * This essentially removes the state for the domain tree rooted at this
      * host.
      * @param aType   the type of security state in question
      * @param aURI    the URI of the target host
      * @param aFlags  options for this request as defined in nsISocketProvider:
      *                  NO_PERMANENT_STORAGE
      */
     void removeState(in uint32_t aType,
                      in nsIURI aURI,
                      in uint32_t aFlags);
 
     /**
+     * See isSecureURI
+     *
+     * @param aType the type of security state in question.
+     * @param aHost the hostname (punycode) to query for state.
+     * @param aFlags  options for this request as defined in nsISocketProvider:
+     *                  NO_PERMANENT_STORAGE
+     * @param aCached true if we have cached information regarding whether or not
+     *                  the host is HSTS, false otherwise.
+     */
+    boolean isSecureHost(in uint32_t aType,
+                         in ACString aHost,
+                         in uint32_t aFlags,
+                         [optional] out boolean aCached);
+
+    /**
      * Checks whether or not the URI's hostname has a given security state set.
      * For example, for HSTS:
      * The URI is an HSTS URI if either the host has the HSTS state set, or one
      * of its super-domains has the HSTS "includeSubdomains" flag set.
      * NOTE: this function makes decisions based only on the
      * host contained in the URI, and disregards other portions of the URI
      * such as path and port.
      *
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -570,16 +570,36 @@ nsSiteSecurityService::ProcessHeader(uin
                  NS_ERROR_NOT_IMPLEMENTED);
 
   NS_ENSURE_ARG(aSSLStatus);
   return ProcessHeaderInternal(aType, aSourceURI, PromiseFlatCString(aHeader),
                                aSSLStatus, aFlags, aMaxAge, aIncludeSubdomains,
                                aFailureResult);
 }
 
+NS_IMETHODIMP
+nsSiteSecurityService::UnsafeProcessHeader(uint32_t aType,
+                                           nsIURI* aSourceURI,
+                                           const nsACString& aHeader,
+                                           uint32_t aFlags,
+                                           uint64_t* aMaxAge,
+                                           bool* aIncludeSubdomains,
+                                           uint32_t* aFailureResult)
+{
+  // Child processes are not allowed direct access to this.
+  if (!XRE_IsParentProcess()) {
+    MOZ_CRASH("Child process: no direct access to "
+              "nsISiteSecurityService::UnsafeProcessHeader");
+  }
+
+  return ProcessHeaderInternal(aType, aSourceURI, PromiseFlatCString(aHeader),
+                               nullptr, aFlags, aMaxAge, aIncludeSubdomains,
+                               aFailureResult);
+}
+
 nsresult
 nsSiteSecurityService::ProcessHeaderInternal(uint32_t aType,
                                              nsIURI* aSourceURI,
                                              const nsCString& aHeader,
                                              nsISSLStatus* aSSLStatus,
                                              uint32_t aFlags,
                                              uint64_t* aMaxAge,
                                              bool* aIncludeSubdomains,
@@ -1192,17 +1212,17 @@ nsSiteSecurityService::HostHasHSTSEntry(
       *aCached = true;
     }
     return true;
   }
 
   return false;
 }
 
-nsresult
+NS_IMETHODIMP
 nsSiteSecurityService::IsSecureHost(uint32_t aType, const nsACString& aHost,
                                     uint32_t aFlags, bool* aCached,
                                     bool* aResult)
 {
   // Child processes are not allowed direct access to this.
   if (!XRE_IsParentProcess() && aType != nsISiteSecurityService::HEADER_HSTS) {
     MOZ_CRASH("Child process: no direct access to "
               "nsISiteSecurityService::IsSecureHost for non-HSTS entries");
--- a/security/manager/ssl/nsSiteSecurityService.h
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -167,18 +167,16 @@ private:
   nsresult SetHPKPState(const char* aHost, SiteHPKPState& entry, uint32_t flags,
                         bool aIsPreload);
   nsresult RemoveStateInternal(uint32_t aType, const nsAutoCString& aHost,
                                uint32_t aFlags, bool aIsPreload);
   bool HostHasHSTSEntry(const nsAutoCString& aHost,
                         bool aRequireIncludeSubdomains, uint32_t aFlags,
                         bool* aResult, bool* aCached);
   const nsSTSPreload *GetPreloadListEntry(const char *aHost);
-  nsresult IsSecureHost(uint32_t aType, const nsACString& aHost,
-                        uint32_t aFlags, bool* aCached, bool* aResult);
 
   uint64_t mMaxMaxAge;
   bool mUsePreloadList;
   int64_t mPreloadListTimeOffset;
   bool mProcessPKPHeadersFromNonBuiltInRoots;
   RefPtr<mozilla::DataStorage> mSiteStateStorage;
   RefPtr<mozilla::DataStorage> mPreloadStateStorage;
 };
rename from security/manager/ssl/tests/unit/test_sts_parser.js
rename to security/manager/ssl/tests/gtest/STSParserTest.cpp
--- a/security/manager/ssl/tests/unit/test_sts_parser.js
+++ b/security/manager/ssl/tests/gtest/STSParserTest.cpp
@@ -1,110 +1,147 @@
-/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
- * vim: sw=2 ts=2 sts=2
- * This Source Code Form is subject to the terms of the Mozilla Public
+/* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-"use strict";
+#include <stdio.h>
 
-// STS parser tests
+#include "gtest/gtest.h"
+#include "nsDependentString.h"
+#include "nsNetUtil.h"
+#include "nsISiteSecurityService.h"
+#include "nsIURI.h"
 
-let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
-let sslStatus = new FakeSSLStatus();
-
-function testSuccess(header, expectedMaxAge, expectedIncludeSubdomains) {
-  let dummyUri = Services.io.newURI("https://foo.com/bar.html");
-  let maxAge = {};
-  let includeSubdomains = {};
+void
+TestSuccess(const char* hdr, bool extraTokens,
+            uint64_t expectedMaxAge, bool expectedIncludeSubdomains,
+            nsISiteSecurityService* sss)
+{
+  nsCOMPtr<nsIURI> dummyUri;
+  nsresult rv = NS_NewURI(getter_AddRefs(dummyUri), "https://foo.com/bar.html");
+  ASSERT_TRUE(NS_SUCCEEDED(rv)) << "Failed to create URI";
 
-  sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, dummyUri, header,
-                    sslStatus, 0, maxAge, includeSubdomains);
+  uint64_t maxAge = 0;
+  bool includeSubdomains = false;
+  rv = sss->UnsafeProcessHeader(nsISiteSecurityService::HEADER_HSTS, dummyUri,
+                                nsDependentCString(hdr), 0, &maxAge,
+                                &includeSubdomains, nullptr);
+  ASSERT_TRUE(NS_SUCCEEDED(rv)) << "Failed to process valid header: " << hdr;
 
-  equal(maxAge.value, expectedMaxAge, "Did not correctly parse maxAge");
-  equal(includeSubdomains.value, expectedIncludeSubdomains,
-        "Did not correctly parse presence/absence of includeSubdomains");
-}
+  ASSERT_EQ(maxAge, expectedMaxAge) << "Did not correctly parse maxAge";
+  EXPECT_EQ(includeSubdomains, expectedIncludeSubdomains) <<
+    "Did not correctly parse presence/absence of includeSubdomains";
 
-function testFailure(header) {
-  let dummyUri = Services.io.newURI("https://foo.com/bar.html");
-  throws(() => {
-    sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, dummyUri, header,
-                      sslStatus, 0, maxAge, includeSubdomains);
-  }, "Parsed invalid header: " + header);
+  if (extraTokens) {
+    EXPECT_EQ(rv, NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA) <<
+      "Extra tokens were expected when parsing, but were not encountered.";
+  } else {
+    EXPECT_EQ(rv, NS_OK) << "Unexpected tokens found during parsing.";
+  }
+
+  printf("%s\n", hdr);
 }
 
-function run_test() {
-    // SHOULD SUCCEED:
-    testSuccess("max-age=100", 100, false);
-    testSuccess("max-age  =100", 100, false);
-    testSuccess(" max-age=100", 100, false);
-    testSuccess("max-age = 100 ", 100, false);
-    testSuccess('max-age = "100" ', 100, false);
-    testSuccess('max-age="100"', 100, false);
-    testSuccess(' max-age ="100" ', 100, false);
-    testSuccess("\tmax-age\t=\t\"100\"\t", 100, false);
-    testSuccess("max-age  =       100             ", 100, false);
+void TestFailure(const char* hdr,
+                 nsISiteSecurityService* sss)
+{
+  nsCOMPtr<nsIURI> dummyUri;
+  nsresult rv = NS_NewURI(getter_AddRefs(dummyUri), "https://foo.com/bar.html");
+  ASSERT_TRUE(NS_SUCCEEDED(rv)) << "Failed to create URI";
+
+  rv = sss->UnsafeProcessHeader(nsISiteSecurityService::HEADER_HSTS, dummyUri,
+                                nsDependentCString(hdr), 0, nullptr, nullptr,
+                                nullptr);
+  ASSERT_TRUE(NS_FAILED(rv)) << "Parsed invalid header: " << hdr;
+
+  printf("%s\n", hdr);
+}
+
+TEST(psm_STSParser, Test)
+{
+    nsresult rv;
+
+    // grab handle to the service
+    nsCOMPtr<nsISiteSecurityService> sss;
+    sss = do_GetService("@mozilla.org/ssservice;1", &rv);
+    ASSERT_TRUE(NS_SUCCEEDED(rv));
+
+    // *** parsing tests
+    printf("*** Attempting to parse valid STS headers ...\n");
 
-    testSuccess("maX-aGe=100", 100, false);
-    testSuccess("MAX-age  =100", 100, false);
-    testSuccess("max-AGE=100", 100, false);
-    testSuccess("Max-Age = 100 ", 100, false);
-    testSuccess("MAX-AGE = 100 ", 100, false);
+    // SHOULD SUCCEED:
+    TestSuccess("max-age=100", false, 100, false, sss);
+    TestSuccess("max-age  =100", false, 100, false, sss);
+    TestSuccess(" max-age=100", false, 100, false, sss);
+    TestSuccess("max-age = 100 ", false, 100, false, sss);
+    TestSuccess(R"(max-age = "100" )", false, 100, false, sss);
+    TestSuccess(R"(max-age="100")", false, 100, false, sss);
+    TestSuccess(R"( max-age ="100" )", false, 100, false, sss);
+    TestSuccess("\tmax-age\t=\t\"100\"\t", false, 100, false, sss);
+    TestSuccess("max-age  =       100             ", false, 100, false, sss);
 
-    testSuccess("max-age=100;includeSubdomains", 100, true);
-    testSuccess("max-age=100\t; includeSubdomains", 100, true);
-    testSuccess(" max-age=100; includeSubdomains", 100, true);
-    testSuccess("max-age = 100 ; includeSubdomains", 100, true);
-    testSuccess("max-age  =       100             ; includeSubdomains", 100,
-                true);
+    TestSuccess("maX-aGe=100", false, 100, false, sss);
+    TestSuccess("MAX-age  =100", false, 100, false, sss);
+    TestSuccess("max-AGE=100", false, 100, false, sss);
+    TestSuccess("Max-Age = 100 ", false, 100, false, sss);
+    TestSuccess("MAX-AGE = 100 ", false, 100, false, sss);
 
-    testSuccess("maX-aGe=100; includeSUBDOMAINS", 100, true);
-    testSuccess("MAX-age  =100; includeSubDomains", 100, true);
-    testSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", 100, true);
-    testSuccess("Max-Age = 100; includesubdomains ", 100, true);
-    testSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", 100, true);
+    TestSuccess("max-age=100;includeSubdomains", false, 100, true, sss);
+    TestSuccess("max-age=100\t; includeSubdomains", false, 100, true, sss);
+    TestSuccess(" max-age=100; includeSubdomains", false, 100, true, sss);
+    TestSuccess("max-age = 100 ; includeSubdomains", false, 100, true, sss);
+    TestSuccess("max-age  =       100             ; includeSubdomains",
+                false, 100, true, sss);
+
+    TestSuccess("maX-aGe=100; includeSUBDOMAINS", false, 100, true, sss);
+    TestSuccess("MAX-age  =100; includeSubDomains", false, 100, true, sss);
+    TestSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", false, 100, true, sss);
+    TestSuccess("Max-Age = 100; includesubdomains ", false, 100, true, sss);
+    TestSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", false, 100, true, sss);
     // Turns out, the actual directive is entirely optional (hence the
     // trailing semicolon)
-    testSuccess("max-age=100;includeSubdomains;", 100, true);
+    TestSuccess("max-age=100;includeSubdomains;", true, 100, true, sss);
 
     // these are weird tests, but are testing that some extended syntax is
     // still allowed (but it is ignored)
-    testSuccess("max-age=100 ; includesubdomainsSomeStuff", 100, false);
-    testSuccess("\r\n\t\t    \tcompletelyUnrelated = foobar; max-age= 34520103"
-                + "\t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t",
-                34520103, true);
-    testSuccess('max-age=100; unrelated="quoted \\"thingy\\""', 100, false);
+    TestSuccess("max-age=100 ; includesubdomainsSomeStuff",
+                true, 100, false, sss);
+    TestSuccess("\r\n\t\t    \tcompletelyUnrelated = foobar; max-age= 34520103"
+                "\t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t",
+                true, 34520103, true, sss);
+    TestSuccess(R"(max-age=100; unrelated="quoted \"thingy\"")",
+                true, 100, false, sss);
 
     // SHOULD FAIL:
+    printf("* Attempting to parse invalid STS headers (should not parse)...\n");
     // invalid max-ages
-    testFailure("max-age");
-    testFailure("max-age ");
-    testFailure("max-age=p");
-    testFailure("max-age=*1p2");
-    testFailure("max-age=.20032");
-    testFailure("max-age=!20032");
-    testFailure("max-age==20032");
+    TestFailure("max-age", sss);
+    TestFailure("max-age ", sss);
+    TestFailure("max-age=p", sss);
+    TestFailure("max-age=*1p2", sss);
+    TestFailure("max-age=.20032", sss);
+    TestFailure("max-age=!20032", sss);
+    TestFailure("max-age==20032", sss);
 
     // invalid headers
-    testFailure("foobar");
-    testFailure("maxage=100");
-    testFailure("maxa-ge=100");
-    testFailure("max-ag=100");
-    testFailure("includesubdomains");
-    testFailure(";");
-    testFailure('max-age="100');
+    TestFailure("foobar", sss);
+    TestFailure("maxage=100", sss);
+    TestFailure("maxa-ge=100", sss);
+    TestFailure("max-ag=100", sss);
+    TestFailure("includesubdomains", sss);
+    TestFailure(";", sss);
+    TestFailure(R"(max-age="100)", sss);
     // The max-age directive here doesn't conform to the spec, so it MUST
     // be ignored. Consequently, the REQUIRED max-age directive is not
     // present in this header, and so it is invalid.
-    testFailure("max-age=100, max-age=200; includeSubdomains");
-    testFailure("max-age=100 includesubdomains");
-    testFailure("max-age=100 bar foo");
-    testFailure("max-age=100randomstuffhere");
+    TestFailure("max-age=100, max-age=200; includeSubdomains", sss);
+    TestFailure("max-age=100 includesubdomains", sss);
+    TestFailure("max-age=100 bar foo", sss);
+    TestFailure("max-age=100randomstuffhere", sss);
     // All directives MUST appear only once in an STS header field.
-    testFailure("max-age=100; max-age=200");
-    testFailure("includeSubdomains; max-age=200; includeSubdomains");
-    testFailure("max-age=200; includeSubdomains; includeSubdomains");
+    TestFailure("max-age=100; max-age=200", sss);
+    TestFailure("includeSubdomains; max-age=200; includeSubdomains", sss);
+    TestFailure("max-age=200; includeSubdomains; includeSubdomains", sss);
     // The includeSubdomains directive is valueless.
-    testFailure("max-age=100; includeSubdomains=unexpected");
+    TestFailure("max-age=100; includeSubdomains=unexpected", sss);
     // LWS must have at least one space or horizontal tab
-    testFailure("\r\nmax-age=200");
+    TestFailure("\r\nmax-age=200", sss);
 }
--- a/security/manager/ssl/tests/gtest/moz.build
+++ b/security/manager/ssl/tests/gtest/moz.build
@@ -5,16 +5,17 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 SOURCES += [
     'CertDBTest.cpp',
     'DataStorageTest.cpp',
     'DeserializeCertTest.cpp',
     'MD4Test.cpp',
     'OCSPCacheTest.cpp',
+    'STSParserTest.cpp',
     'TLSIntoleranceTest.cpp',
 ]
 
 LOCAL_INCLUDES += [
     '/security/certverifier',
     '/security/manager/ssl',
     '/security/pkix/include',
     '/security/pkix/test/lib',
--- a/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js
@@ -49,19 +49,17 @@ function test() {
   }
 
   function doTest(aIsPrivateMode, aWindow, aCallback) {
     aWindow.gBrowser.selectedBrowser.addEventListener("load", function() {
       let sslStatus = new FakeSSLStatus();
       uri = aWindow.Services.io.newURI("https://localhost/img.png");
       gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                                "max-age=1000", sslStatus, privacyFlags(aIsPrivateMode));
-      ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                                privacyFlags(aIsPrivateMode)),
-                                "checking sts host");
+      ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, "localhost", privacyFlags(aIsPrivateMode)), "checking sts host");
 
       aCallback();
     }, {capture: true, once: true});
 
     aWindow.gBrowser.selectedBrowser.loadURI(testURI);
   }
 
   function testOnWindow(aOptions, aCallback) {
--- a/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing_perwindowpb.html
+++ b/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing_perwindowpb.html
@@ -26,17 +26,16 @@
     "tests/security/manager/ssl/tests/mochitest/stricttransportsecurity";
   const NUM_TEST_FRAMES = 4;
   const CONTENT_PAGE =
     "http://mochi.test:8888/chrome/security/manager/ssl/tests/mochitest/stricttransportsecurity/page_blank.html";
 
   Cu.import("resource://testing-common/BrowserTestUtils.jsm");
   Cu.import("resource://testing-common/ContentTask.jsm");
   Cu.import("resource://gre/modules/Task.jsm");
-  Cu.import("resource://gre/modules/Services.jsm");
 
   // This is how many sub-tests (testframes) in each round.
   // When the round begins, this will be initialized.
   var testsleftinround = 0;
   var currentround = "";
   var mainWindow =
     window.QueryInterface(Ci.nsIInterfaceRequestor).
     getInterface(Ci.nsIWebNavigation).QueryInterface(Ci.nsIDocShellTreeItem).
@@ -238,19 +237,17 @@
     SpecialPowers.cleanUpSTSData("http://example.com", flags);
     dump_STSState(isPrivate);
   }
 
   function dump_STSState(isPrivate) {
     let sss = Cc["@mozilla.org/ssservice;1"]
                 .getService(Ci.nsISiteSecurityService);
     let flags = isPrivate ? Ci.nsISocketProvider.NO_PERMANENT_STORAGE : 0;
-    SimpleTest.info("State of example.com: " +
-      sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                      Services.io.newURI("https://example.com"), flags));
+    SimpleTest.info("State of example.com: " + sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, "example.com", flags));
   }
 
   // These are executed in the order presented.
   // 0.  test that STS works before entering private browsing mode.
   //     (load sts-bootstrapped "plain" tests)
   //  ... clear any STS data ...
   // 1.  test that STS works in private browsing mode
   //     (load sts-bootstrapped "subdomain" tests)
--- a/security/manager/ssl/tests/unit/sss_readstate_child_worker.js
+++ b/security/manager/ssl/tests/unit/sss_readstate_child_worker.js
@@ -1,33 +1,25 @@
 /* import-globals-from head_psm.js */
 "use strict";
 
 function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
 
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://expired.example.com"),
-                            0));
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                           Services.io.newURI("https://notexpired.example.com"),
-                           0));
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                           Services.io.newURI("https://bugzilla.mozilla.org"),
-                           0));
-  ok(!SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.bugzilla.mozilla.org"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://incsubdomain.example.com"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.incsubdomain.example.com"), 0));
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://login.persona.org"),
-                            0));
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://sub.login.persona.org"),
-                            0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "expired.example.com", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "notexpired.example.com", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "bugzilla.mozilla.org", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "sub.bugzilla.mozilla.org", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "incsubdomain.example.com", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "sub.incsubdomain.example.com", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "login.persona.org", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "sub.login.persona.org", 0));
   do_test_finished();
 }
--- a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
+++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
@@ -49,55 +49,64 @@ var sslStatus = new FakeSSLStatus(constr
 // and then checking that the platform doesn't consider a.pinning2.example.com
 // to be HSTS or HPKP any longer.
 add_task(function* () {
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, GOOD_MAX_AGE,
                     sslStatus, 0);
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
                     GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, sslStatus, 0);
 
-  Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
+  Assert.ok(sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "a.pinning2.example.com", 0),
             "a.pinning2.example.com should be HSTS");
-  Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
+  Assert.ok(sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                             "a.pinning2.example.com", 0),
             "a.pinning2.example.com should be HPKP");
 
   yield ForgetAboutSite.removeDataFromDomain("a.pinning2.example.com");
 
-  Assert.ok(!sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
+  Assert.ok(!sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "a.pinning2.example.com", 0),
             "a.pinning2.example.com should not be HSTS now");
-  Assert.ok(!sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
+  Assert.ok(!sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                              "a.pinning2.example.com", 0),
             "a.pinning2.example.com should not be HPKP now");
 });
 
 // Test the case of processing HSTS and HPKP headers for a.pinning2.example.com,
 // using "Forget About Site" on example.com, and then checking that the platform
 // doesn't consider the subdomain to be HSTS or HPKP any longer. Also test that
 // unrelated sites don't also get removed.
 add_task(function* () {
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, GOOD_MAX_AGE,
                     sslStatus, 0);
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
                     GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, sslStatus, 0);
 
-  Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
+  Assert.ok(sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "a.pinning2.example.com", 0),
             "a.pinning2.example.com should be HSTS (subdomain case)");
-  Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
+  Assert.ok(sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                             "a.pinning2.example.com", 0),
             "a.pinning2.example.com should be HPKP (subdomain case)");
 
   // Add an unrelated site to HSTS.  Not HPKP because we have no valid keys for
   // example.org.
   let unrelatedURI = Services.io.newURI("https://example.org");
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, unrelatedURI,
                     GOOD_MAX_AGE, sslStatus, 0);
-  Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             unrelatedURI, 0), "example.org should be HSTS");
+  Assert.ok(sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example.org", 0),
+            "example.org should be HSTS");
 
   yield ForgetAboutSite.removeDataFromDomain("example.com");
 
-  Assert.ok(!sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
+  Assert.ok(!sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "a.pinning2.example.com", 0),
             "a.pinning2.example.com should not be HSTS now (subdomain case)");
-  Assert.ok(!sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
+  Assert.ok(!sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                              "a.pinning2.example.com", 0),
             "a.pinning2.example.com should not be HPKP now (subdomain case)");
 
-  Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             unrelatedURI, 0),
+  Assert.ok(sss.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example.org", 0),
             "example.org should still be HSTS");
 });
--- a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
@@ -40,14 +40,15 @@ function run_test() {
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   let uri = Services.io.newURI("http://localhost");
   let sslStatus = new FakeSSLStatus();
   SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                           "max-age=10000", sslStatus, 0);
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "localhost", 0),
      "Domain for the OCSP AIA URI should be considered a HSTS host, otherwise" +
      " we wouldn't be testing what we think we're testing");
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js
+++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js
@@ -70,31 +70,27 @@ function run_test() {
   gSSService = Cc["@mozilla.org/ssservice;1"]
                  .getService(Ci.nsISiteSecurityService);
   notEqual(gSSService, null,
            "SiteSecurityService should have initialized successfully using" +
            " the generated state file");
 }
 
 function checkDefaultSiteHPKPStatus() {
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HPKP,
-       Services.io.newURI("https://a.pinning2.example.com"), 0),
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                             "a.pinning2.example.com", 0),
      "a.pinning2.example.com should have HPKP status");
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HPKP,
-       Services.io.newURI("https://x.a.pinning2.example.com"), 0),
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                              "x.a.pinning2.example.com", 0),
      "x.a.pinning2.example.com should not have HPKP status");
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HPKP,
-       Services.io.newURI("https://b.pinning2.example.com"), 0),
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                             "b.pinning2.example.com", 0),
      "b.pinning2.example.com should have HPKP status");
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HPKP,
-       Services.io.newURI("https://x.b.pinning2.example.com"), 0),
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                             "x.b.pinning2.example.com", 0),
      "x.b.pinning2.example.com should have HPKP status");
 }
 
 function checkStateRead(aSubject, aTopic, aData) {
   if (aData == SSS_STATE_FILE_NAME) {
     gSSSStateSeen = true;
   } else if (aData == PRELOAD_STATE_FILE_NAME) {
     gPreloadStateSeen = true;
@@ -158,24 +154,22 @@ function checkStateRead(aSubject, aTopic
             "b.pinning2.example.com");
   checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
           "b.pinning2.example.com");
   checkFail(certFromFile("x.b.pinning2.example.com-badca"),
             "x.b.pinning2.example.com");
   checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
           "x.b.pinning2.example.com");
 
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HPKP,
-       Services.io.newURI("https://a.pinning2.example.com"), 0),
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                             "a.pinning2.example.com", 0),
      "a.pinning2.example.com should still have HPKP status after adding" +
      " includeSubdomains to a.pinning2.example.com");
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HPKP,
-       Services.io.newURI("https://x.a.pinning2.example.com"), 0),
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                             "x.a.pinning2.example.com", 0),
      "x.a.pinning2.example.com should now have HPKP status after adding" +
      " includeSubdomains to a.pinning2.example.com");
 
   // Now setpins without subdomains
   gSSService.setKeyPins("a.pinning2.example.com", false,
                         new Date().getTime() + 1000000, 2,
                         [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]);
   checkFail(certFromFile("a.pinning2.example.com-badca"),
@@ -226,23 +220,21 @@ function checkStateRead(aSubject, aTopic
   // Incorrect size results in failure
   throws(() => {
     gSSService.setKeyPins("a.pinning2.example.com", true,
                           new Date().getTime() + 1000000, 2, ["not a hash"]);
   }, /NS_ERROR_XPC_NOT_ENOUGH_ELEMENTS_IN_ARRAY/,
      "Attempting to set a pin with an incorrect size should fail");
 
   // Ensure built-in pins work as expected
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HPKP,
-       Services.io.newURI("https://nonexistent.example.com"), 0),
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                              "nonexistent.example.com", 0),
      "Not built-in nonexistent.example.com should not have HPKP status");
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HPKP,
-       Services.io.newURI("https://include-subdomains.pinning.example.com"), 0),
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                             "include-subdomains.pinning.example.com", 0),
      "Built-in include-subdomains.pinning.example.com should have HPKP status");
 
   gSSService.setKeyPins("a.pinning2.example.com", false, new Date().getTime(),
                         1, [NON_ISSUED_KEY_HASH]);
 
   // Check that a preload pin loaded from file works as expected
   checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com");
   checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com");
--- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
+++ b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
@@ -58,18 +58,18 @@ function checkPassValidPin(pinValue, set
 
   // check that maxAge was processed correctly
   if (settingPin && expectedMaxAge) {
     ok(maxAge.value == expectedMaxAge, `max-age value should be ${expectedMaxAge}`);
   }
 
   // after processing ensure that the postconditions are true, if setting
   // the host must be pinned, if removing the host must not be pinned
-  let hostIsPinned = gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP,
-                                             uri, 0);
+  let hostIsPinned = gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
+                                             "a.pinning2.example.com", 0);
   if (settingPin) {
     ok(hostIsPinned, "Host should be considered pinned");
   } else {
     ok(!hostIsPinned, "Host should not be considered pinned");
   }
 }
 
 function checkPassSettingPin(pinValue, expectedMaxAge) {
--- a/security/manager/ssl/tests/unit/test_sss_eviction.js
+++ b/security/manager/ssl/tests/unit/test_sss_eviction.js
@@ -46,19 +46,18 @@ function do_state_written(aSubject, aTop
 
 function do_state_read(aSubject, aTopic, aData) {
   if (aData == PRELOAD_STATE_FILE_NAME) {
     return;
   }
 
   equal(aData, SSS_STATE_FILE_NAME);
 
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://frequentlyused.example.com"), 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "frequentlyused.example.com", 0));
   let sslStatus = new FakeSSLStatus();
   for (let i = 0; i < 2000; i++) {
     let uri = Services.io.newURI("http://bad" + i + ".example.com");
     gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                             "max-age=1000", sslStatus, 0);
   }
   do_test_pending();
   Services.obs.addObserver(do_state_written, "data-storage-written", false);
--- a/security/manager/ssl/tests/unit/test_sss_readstate.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate.js
@@ -14,65 +14,51 @@ var gSSService = null;
 
 function checkStateRead(aSubject, aTopic, aData) {
   if (aData == PRELOAD_STATE_FILE_NAME) {
     return;
   }
 
   equal(aData, SSS_STATE_FILE_NAME);
 
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://expired.example.com"),
-                             0));
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://notexpired.example.com"),
-                            0));
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
-                            0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.bugzilla.mozilla.org"), 0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://incsubdomain.example.com"), 0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.incsubdomain.example.com"), 0));
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://login.persona.org"),
-                             0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.login.persona.org"), 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "expired.example.com", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "notexpired.example.com", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "sub.bugzilla.mozilla.org", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "incsubdomain.example.com", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "sub.incsubdomain.example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "login.persona.org", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "sub.login.persona.org", 0));
 
   // Clearing the data should make everything go back to default.
   gSSService.clearAll();
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://expired.example.com"),
-                             0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://notexpired.example.com"), 0));
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
-                            0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.bugzilla.mozilla.org"), 0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://incsubdomain.example.com"), 0));
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.incsubdomain.example.com"), 0));
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://login.persona.org"), 0));
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://sub.login.persona.org"),
-                            0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "expired.example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "notexpired.example.com", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "sub.bugzilla.mozilla.org", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "incsubdomain.example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "sub.incsubdomain.example.com", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "login.persona.org", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "sub.login.persona.org", 0));
   do_test_finished();
 }
 
 function run_test() {
   let profileDir = do_get_profile();
   let stateFile = profileDir.clone();
   stateFile.append(SSS_STATE_FILE_NAME);
   // Assuming we're working with a clean slate, the file shouldn't exist
--- a/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
@@ -5,28 +5,25 @@
 
 // The purpose of this test is to create an empty site security service state
 // file and see that the site security service doesn't fail when reading it.
 
 var gSSService = null;
 
 function checkStateRead(aSubject, aTopic, aData) {
   // nonexistent.example.com should never be an HSTS host
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://nonexistent.example.com"), 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "nonexistent.example.com", 0));
   // bugzilla.mozilla.org is preloaded
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
-                            0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", 0));
   // notexpired.example.com is an HSTS host in a different test - we
   // want to make sure that test hasn't interfered with this one.
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://notexpired.example.com"), 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "notexpired.example.com", 0));
   do_test_finished();
 }
 
 function run_test() {
   let profileDir = do_get_profile();
   let stateFile = profileDir.clone();
   stateFile.append(SSS_STATE_FILE_NAME);
   // Assuming we're working with a clean slate, the file shouldn't exist
--- a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
@@ -14,27 +14,24 @@ var gSSService = null;
 
 function checkStateRead(aSubject, aTopic, aData) {
   if (aData == PRELOAD_STATE_FILE_NAME) {
     return;
   }
 
   equal(aData, SSS_STATE_FILE_NAME);
 
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://example1.example.com"),
-                            0));
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://example2.example.com"),
-                            0));
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://example.com"), 0));
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://example3.example.com"),
-                             0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example1.example.com", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example2.example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "example3.example.com", 0));
   do_test_finished();
 }
 
 function run_test() {
   let profileDir = do_get_profile();
   let stateFile = profileDir.clone();
   stateFile.append(SSS_STATE_FILE_NAME);
   // Assuming we're working with a clean slate, the file shouldn't exist
--- a/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
@@ -15,37 +15,30 @@ var gSSService = null;
 
 function checkStateRead(aSubject, aTopic, aData) {
   if (aData == PRELOAD_STATE_FILE_NAME) {
     return;
   }
 
   equal(aData, SSS_STATE_FILE_NAME);
 
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://example0.example.com"),
-                            0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://example423.example.com"), 0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://example1023.example.com"), 0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://example1024.example.com"), 0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://example1025.example.com"), 0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://example9000.example.com"), 0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://example99999.example.com"), 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example0.example.com", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example423.example.com", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example1023.example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "example1024.example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "example1025.example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "example9000.example.com", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "example99999.example.com", 0));
   do_test_finished();
 }
 
 function run_test() {
   let profileDir = do_get_profile();
   let stateFile = profileDir.clone();
   stateFile.append(SSS_STATE_FILE_NAME);
   // Assuming we're working with a clean slate, the file shouldn't exist
--- a/security/manager/ssl/tests/unit/test_sts_fqdn.js
+++ b/security/manager/ssl/tests/unit/test_sts_fqdn.js
@@ -2,35 +2,48 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 "use strict";
 
 function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example.com", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example.com.", 0));
+  // These cases are only relevant as long as bug 1118522 hasn't been fixed.
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example.com..", 0));
+
   let uri = Services.io.newURI("https://example.com");
-  let uri1 = Services.io.newURI("https://example.com.");
-  let uri2 = Services.io.newURI("https://example.com..");
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri1, 0));
-  // These cases are only relevant as long as bug 1118522 hasn't been fixed.
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri2, 0));
-
   let sslStatus = new FakeSSLStatus();
   SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                           "max-age=1000;includeSubdomains", sslStatus, 0);
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "example.com", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "example.com.", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "example.com..", 0));
+
   ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri1, 0));
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri2, 0));
+  uri = Services.io.newURI("https://example.com.");
+  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  uri = Services.io.newURI("https://example.com..");
+  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
 
   SSService.removeState(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0);
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri1, 0));
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri2, 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example.com", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example.com.", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "example.com..", 0));
 
   // Somehow creating this malformed URI succeeds - we need to handle it
   // gracefully.
   uri = Services.io.newURI("https://../foo");
   equal(uri.host, "..");
   throws(() => {
     SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0);
   }, /NS_ERROR_UNEXPECTED/, "Malformed URI should be rejected");
--- a/security/manager/ssl/tests/unit/test_sts_holepunch.js
+++ b/security/manager/ssl/tests/unit/test_sts_holepunch.js
@@ -5,33 +5,30 @@
 "use strict";
 
 // bug 961528: chart.apis.google.com doesn't handle https. Check that
 // it isn't considered HSTS (other example.apis.google.com hosts should be
 // HSTS as long as they're on the preload list, however).
 function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://chart.apis.google.com"),
-                            0));
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://CHART.APIS.GOOGLE.COM"),
-                            0));
-  ok(!SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.chart.apis.google.com"), 0));
-  ok(!SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://SUB.CHART.APIS.GOOGLE.COM"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://example.apis.google.com"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://EXAMPLE.APIS.GOOGLE.COM"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sub.example.apis.google.com"), 0));
-  ok(SSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://SUB.EXAMPLE.APIS.GOOGLE.COM"), 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "chart.apis.google.com", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "CHART.APIS.GOOGLE.COM", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "sub.chart.apis.google.com", 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "SUB.CHART.APIS.GOOGLE.COM", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "example.apis.google.com", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "EXAMPLE.APIS.GOOGLE.COM", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "sub.example.apis.google.com", 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "SUB.EXAMPLE.APIS.GOOGLE.COM", 0));
+  // also check isSecureURI
+  let chartURI = Services.io.newURI("http://chart.apis.google.com");
+  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, chartURI, 0));
+  let otherURI = Services.io.newURI("http://other.apis.google.com");
+  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, otherURI, 0));
 }
--- a/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
+++ b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
@@ -1,33 +1,31 @@
 "use strict";
 
 function check_ip(s, v, ip) {
   let sslStatus = new FakeSSLStatus();
+  ok(!s.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, ip, 0));
 
   let str = "https://";
   if (v == 6) {
     str += "[";
   }
   str += ip;
   if (v == 6) {
     str += "]";
   }
   str += "/";
 
   let uri = Services.io.newURI(str);
-  ok(!s.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
 
   let parsedMaxAge = {};
   let parsedIncludeSubdomains = {};
   s.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                   "max-age=1000;includeSubdomains", sslStatus, 0,
                   parsedMaxAge, parsedIncludeSubdomains);
-  ok(!s.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
-     "URI should not be secure if it contains an IP address");
 
   /* Test that processHeader will ignore headers for an uri, if the uri
    * contains an IP address not a hostname.
    * If processHeader indeed ignore the header, then the output parameters will
    * remain empty, and we shouldn't see the values passed as the header.
    */
   notEqual(parsedMaxAge.value, 1000);
   notEqual(parsedIncludeSubdomains.value, true);
--- a/security/manager/ssl/tests/unit/test_sts_preload_dynamic.js
+++ b/security/manager/ssl/tests/unit/test_sts_preload_dynamic.js
@@ -11,57 +11,62 @@
 // * checks that clearing preloads works correctly
 // * checks that clearing a host's HSTS state via a header correctly
 //   overrides dynamic preload entries
 
 function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   let sslStatus = new FakeSSLStatus();
-  let unlikelyHost = "highlyunlikely.example.com";
-  let uri = Services.io.newURI("https://" + unlikelyHost);
-  let subDomainUri = Services.io.newURI("https://subdomain." + unlikelyHost);
 
   // first check that a host probably not on the preload list is not identified
   // as an sts host
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  let unlikelyHost = "highlyunlikely.example.com";
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             unlikelyHost, 0));
 
   // now add a preload entry for this host
   SSService.setHSTSPreload(unlikelyHost, false, Date.now() + 60000);
 
   // check that it's now an STS host
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            unlikelyHost, 0));
 
   // check that it's honoring the fact we set includeSubdomains to false
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, subDomainUri,
-                            0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "subdomain." + unlikelyHost, 0));
 
   // clear the non-preloaded entries
   SSService.clearAll();
 
   // check that it's still an STS host
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            unlikelyHost, 0));
 
   // clear the preloads
   SSService.clearPreloads();
 
   // Check that it's no longer an STS host now that the preloads have been
   // cleared
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             unlikelyHost, 0));
 
   // Now let's do the same, this time with includeSubdomains on
   SSService.setHSTSPreload(unlikelyHost, true, Date.now() + 60000);
 
   // check that it's now an STS host
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            unlikelyHost, 0));
 
   // check that it's now including subdomains
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, subDomainUri,
-                           0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "subdomain." + unlikelyHost, 0));
 
   // Now let's simulate overriding the entry by setting an entry from a header
   // with max-age set to 0
+  let uri = Services.io.newURI("https://" + unlikelyHost);
   SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                           "max-age=0", sslStatus, 0);
 
   // this should no longer be an HSTS host
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             unlikelyHost, 0));
 }
--- a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
@@ -33,209 +33,190 @@ function run_test() {
   add_test(test_private_browsing1);
   add_test(test_private_browsing2);
 
   run_next_test();
 }
 
 function test_part1() {
   // check that a host not in the list is not identified as an sts host
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://nonexistent.mozilla.com"), 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "nonexistent.mozilla.com", 0));
 
   // check that an ancestor domain is not identified as an sts host
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://com"), 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, "com", 0));
 
   // check that the pref to toggle using the preload list works
   Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", false);
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             Services.io.newURI("https://bugzilla.mozilla.org"),
-                             0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "bugzilla.mozilla.org", 0));
   Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", true);
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
-                            0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", 0));
 
   // check that a subdomain is an sts host (includeSubdomains is set)
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.bugzilla.mozilla.org"), 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "subdomain.bugzilla.mozilla.org", 0));
 
   // check that another subdomain is an sts host (includeSubdomains is set)
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://a.b.c.def.bugzilla.mozilla.org"), 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "a.b.c.def.bugzilla.mozilla.org", 0));
 
   // check that a subdomain is not an sts host (includeSubdomains is not set)
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.www.torproject.org"), 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "subdomain.www.torproject.org", 0));
 
   // check that a host with a dot on the end won't break anything
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://notsts.nonexistent.mozilla.com."), 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "notsts.nonexistent.mozilla.com.", 0));
 
   // check that processing a header with max-age: 0 will remove a preloaded
   // site from the list
-  let uri = Services.io.newURI("https://bugzilla.mozilla.org");
-  let subDomainUri =
-    Services.io.newURI("https://subdomain.bugzilla.mozilla.org");
+  let uri = Services.io.newURI("http://bugzilla.mozilla.org");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             subDomainUri, 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "bugzilla.mozilla.org", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "subdomain.bugzilla.mozilla.org", 0));
   // check that processing another header (with max-age non-zero) will
   // re-enable a site's sts status
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1000", sslStatus, 0);
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", 0));
   // but this time include subdomains was not set, so test for that
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             subDomainUri, 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "subdomain.bugzilla.mozilla.org", 0));
   gSSService.clearAll();
 
   // check that processing a header with max-age: 0 from a subdomain of a site
   // will not remove that (ancestor) site from the list
-  uri = Services.io.newURI("https://subdomain.www.torproject.org");
+  uri = Services.io.newURI("http://subdomain.www.torproject.org");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://www.torproject.org"),
-                            0));
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "www.torproject.org", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "subdomain.www.torproject.org", 0));
 
-  uri = Services.io.newURI("https://subdomain.bugzilla.mozilla.org");
+  uri = Services.io.newURI("http://subdomain.bugzilla.mozilla.org");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
   // we received a header with "max-age=0", so we have "no information"
   // regarding the sts state of subdomain.bugzilla.mozilla.org specifically,
   // but it is actually still an STS host, because of the preloaded
   // bugzilla.mozilla.org including subdomains.
   // Here's a drawing:
   // |-- bugzilla.mozilla.org (in preload list, includes subdomains) IS sts host
   //     |-- subdomain.bugzilla.mozilla.org                          IS sts host
   //     |   `-- another.subdomain.bugzilla.mozilla.org              IS sts host
   //     `-- sibling.bugzilla.mozilla.org                            IS sts host
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            Services.io.newURI("https://bugzilla.mozilla.org"),
-                            0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.bugzilla.mozilla.org"), 0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sibling.bugzilla.mozilla.org"), 0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://another.subdomain.bugzilla.mozilla.org"),
-       0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "subdomain.bugzilla.mozilla.org", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "sibling.bugzilla.mozilla.org", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "another.subdomain.bugzilla.mozilla.org", 0));
 
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1000", sslStatus, 0);
   // Here's what we have now:
   // |-- bugzilla.mozilla.org (in preload list, includes subdomains) IS sts host
   //     |-- subdomain.bugzilla.mozilla.org (include subdomains is false) IS sts host
   //     |   `-- another.subdomain.bugzilla.mozilla.org              IS NOT sts host
   //     `-- sibling.bugzilla.mozilla.org                            IS sts host
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.bugzilla.mozilla.org"), 0));
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://sibling.bugzilla.mozilla.org"), 0));
-  ok(!gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://another.subdomain.bugzilla.mozilla.org"),
-       0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "subdomain.bugzilla.mozilla.org", 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "sibling.bugzilla.mozilla.org", 0));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "another.subdomain.bugzilla.mozilla.org", 0));
 
   // Test that an expired non-private browsing entry results in correctly
   // identifying a host that is on the preload list as no longer sts.
   // (This happens when we're in regular browsing mode, we get a header from
   // a site on the preload list, and that header later expires. We need to
   // then treat that host as no longer an sts host.)
   // (sanity check first - this should be in the preload list)
-  uri = Services.io.newURI("https://login.persona.org");
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "login.persona.org", 0));
+  uri = Services.io.newURI("http://login.persona.org");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1", sslStatus, 0);
   do_timeout(1250, function() {
-    ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+    ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                "login.persona.org", 0));
     run_next_test();
   });
 }
 
 const IS_PRIVATE = Ci.nsISocketProvider.NO_PERMANENT_STORAGE;
 
 function test_private_browsing1() {
   gSSService.clearAll();
-  let uri = Services.io.newURI("https://bugzilla.mozilla.org");
-  let subDomainUri =
-    Services.io.newURI("https://a.b.c.subdomain.bugzilla.mozilla.org");
   // sanity - bugzilla.mozilla.org is preloaded, includeSubdomains set
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                            IS_PRIVATE));
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, subDomainUri,
-                            IS_PRIVATE));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", IS_PRIVATE));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "a.b.c.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
 
+  let uri = Services.io.newURI("http://bugzilla.mozilla.org");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, IS_PRIVATE);
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                             IS_PRIVATE));
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             subDomainUri, IS_PRIVATE));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "bugzilla.mozilla.org", IS_PRIVATE));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "a.b.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
 
   // check adding it back in
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1000", sslStatus, IS_PRIVATE);
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, IS_PRIVATE));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", IS_PRIVATE));
   // but no includeSubdomains this time
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             subDomainUri, IS_PRIVATE));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "b.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
 
   // do the hokey-pokey...
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, IS_PRIVATE);
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                             IS_PRIVATE));
-  ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             subDomainUri, IS_PRIVATE));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "bugzilla.mozilla.org", IS_PRIVATE));
+  ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                              "subdomain.bugzilla.mozilla.org", IS_PRIVATE));
 
   // Test that an expired private browsing entry results in correctly
   // identifying a host that is on the preload list as no longer sts.
   // (This happens when we're in private browsing mode, we get a header from
   // a site on the preload list, and that header later expires. We need to
   // then treat that host as no longer an sts host.)
   // (sanity check first - this should be in the preload list)
-  uri = Services.io.newURI("https://login.persona.org");
-  ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                            IS_PRIVATE));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "login.persona.org", IS_PRIVATE));
+  uri = Services.io.newURI("http://login.persona.org");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1", sslStatus, IS_PRIVATE);
   do_timeout(1250, function() {
-    ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                               IS_PRIVATE));
+    ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                "login.persona.org", IS_PRIVATE));
     // Simulate leaving private browsing mode
     Services.obs.notifyObservers(null, "last-pb-context-exited", null);
   });
 }
 
 function test_private_browsing2() {
   // if this test gets this far, it means there's a private browsing service
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://bugzilla.mozilla.org"), 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", 0));
   // the bugzilla.mozilla.org entry has includeSubdomains set
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://subdomain.bugzilla.mozilla.org"), 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "subdomain.bugzilla.mozilla.org", 0));
 
   // Now that we're out of private browsing mode, we need to make sure
   // we've "forgotten" that we "forgot" this site's sts status.
-  ok(gSSService.isSecureURI(
-       Ci.nsISiteSecurityService.HEADER_HSTS,
-       Services.io.newURI("https://login.persona.org"), 0));
+  ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "login.persona.org", 0));
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
@@ -1,23 +1,25 @@
 // This test uses bugzilla.mozilla.org given that it is likely to remain
 // on the preload list for a long time.
 "use strict";
 
 function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
-  let uri = Services.io.newURI("https://bugzilla.mozilla.org");
 
   // check that a host on the preload list is identified as an sts host
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "bugzilla.mozilla.org", 0));
 
   // now simulate that it's 19 weeks later than it actually is
   let offsetSeconds = 19 * 7 * 24 * 60 * 60;
   Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
 
   // check that the preloaded host is no longer considered sts
-  ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                             "bugzilla.mozilla.org", 0));
 
   // just make sure we can get everything back to normal
   Services.prefs.clearUserPref("test.currentTimeOffsetSeconds");
-  ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
+  ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                            "bugzilla.mozilla.org", 0));
 }
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -135,17 +135,16 @@ skip-if = toolkit == 'android'
 [test_sss_readstate_empty.js]
 [test_sss_readstate_garbage.js]
 [test_sss_readstate_huge.js]
 [test_sss_savestate.js]
 [test_startcom_wosign.js]
 [test_sts_fqdn.js]
 [test_sts_holepunch.js]
 [test_sts_ipv4_ipv6.js]
-[test_sts_parser.js]
 [test_sts_preload_dynamic.js]
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
 [test_validity.js]
 run-sequentially = hardcoded ports
 [test_x509.js]
 
 # The TLS error reporting functionality lives in /toolkit but needs tlsserver
--- a/services/common/tests/unit/test_blocklist_pinning.js
+++ b/services/common/tests/unit/test_blocklist_pinning.js
@@ -87,62 +87,52 @@ add_task(function* test_something() {
   }
   server.registerPathHandler(configPath, handleResponse);
   server.registerPathHandler(recordsPath, handleResponse);
 
   let sss = Cc["@mozilla.org/ssservice;1"]
               .getService(Ci.nsISiteSecurityService);
 
   // ensure our pins are all missing before we start
-  ok(!sss.isSecureURI(sss.HEADER_HPKP,
-                      Services.io.newURI("https://one.example.com"), 0));
-  ok(!sss.isSecureURI(sss.HEADER_HPKP,
-                      Services.io.newURI("https://two.example.com"), 0));
-  ok(!sss.isSecureURI(sss.HEADER_HPKP,
-                      Services.io.newURI("https://three.example.com"), 0));
-  ok(!sss.isSecureURI(sss.HEADER_HSTS,
-                      Services.io.newURI("https://four.example.com"), 0));
-  ok(!sss.isSecureURI(sss.HEADER_HSTS,
-                      Services.io.newURI("https://five.example.com"), 0));
+  ok(!sss.isSecureHost(sss.HEADER_HPKP, "one.example.com", 0));
+  ok(!sss.isSecureHost(sss.HEADER_HPKP, "two.example.com", 0));
+  ok(!sss.isSecureHost(sss.HEADER_HPKP, "three.example.com", 0));
+  ok(!sss.isSecureHost(sss.HEADER_HSTS, "five.example.com", 0));
 
   // Test an empty db populates
   yield PinningPreloadClient.maybeSync(2000, Date.now());
 
   let connection = yield FirefoxAdapter.openConnection({path: KINTO_STORAGE_PATH});
 
   // Open the collection, verify it's been populated:
   // Our test data has a single record; it should be in the local collection
   let collection = do_get_kinto_collection(connection, COLLECTION_NAME);
   let list = yield collection.list();
   do_check_eq(list.data.length, 1);
 
   // check that a pin exists for one.example.com
-  ok(sss.isSecureURI(sss.HEADER_HPKP,
-                     Services.io.newURI("https://one.example.com"), 0));
+  ok(sss.isSecureHost(sss.HEADER_HPKP, "one.example.com", 0));
 
   // Test the db is updated when we call again with a later lastModified value
   yield PinningPreloadClient.maybeSync(4000, Date.now());
 
   // Open the collection, verify it's been updated:
   // Our data now has four new records; all should be in the local collection
   collection = do_get_kinto_collection(connection, COLLECTION_NAME);
   list = yield collection.list();
   do_check_eq(list.data.length, 5);
   yield connection.close();
 
   // check that a pin exists for two.example.com and three.example.com
-  ok(sss.isSecureURI(sss.HEADER_HPKP,
-                     Services.io.newURI("https://two.example.com"), 0));
-  ok(sss.isSecureURI(sss.HEADER_HPKP,
-                     Services.io.newURI("https://three.example.com"), 0));
+  ok(sss.isSecureHost(sss.HEADER_HPKP, "two.example.com", 0));
+  ok(sss.isSecureHost(sss.HEADER_HPKP, "three.example.com", 0));
 
   // check that a pin does not exist for four.example.com - it's in the
   // collection but the version should not match
-  ok(!sss.isSecureURI(sss.HEADER_HPKP,
-                      Services.io.newURI("https://four.example.com"), 0));
+  ok(!sss.isSecureHost(sss.HEADER_HPKP, "four.example.com", 0));
 
   // Try to maybeSync with the current lastModified value - no connection
   // should be attempted.
   // Clear the kinto base pref so any connections will cause a test failure
   Services.prefs.clearUserPref("services.settings.server");
   yield PinningPreloadClient.maybeSync(4000, Date.now());
 
   // Try again with a lastModified value at some point in the past
@@ -151,35 +141,30 @@ add_task(function* test_something() {
   // Check the pinning check time pref is modified, even if the collection
   // hasn't changed
   Services.prefs.setIntPref("services.blocklist.onecrl.checked", 0);
   yield PinningPreloadClient.maybeSync(3000, Date.now());
   let newValue = Services.prefs.getIntPref("services.blocklist.pinning.checked");
   do_check_neq(newValue, 0);
 
   // Check that the HSTS preload added to the collection works...
-  ok(sss.isSecureURI(sss.HEADER_HSTS,
-                     Services.io.newURI("https://five.example.com"), 0));
+  ok(sss.isSecureHost(sss.HEADER_HSTS, "five.example.com", 0));
   // ...and that includeSubdomains is honored
-  ok(!sss.isSecureURI(sss.HEADER_HSTS,
-                      Services.io.newURI("https://subdomain.five.example.com"),
-                      0));
+  ok(!sss.isSecureHost(sss.HEADER_HSTS, "subdomain.five.example.com", 0));
 
   // Check that a sync completes even when there's bad data in the
   // collection. This will throw on fail, so just calling maybeSync is an
   // acceptible test (the data below with last_modified of 300 is nonsense).
   Services.prefs.setCharPref("services.settings.server",
                              `http://localhost:${server.identity.primaryPort}/v1`);
   yield PinningPreloadClient.maybeSync(5000, Date.now());
 
   // The STS entry for five.example.com now has includeSubdomains set;
   // ensure that the new includeSubdomains value is honored.
-  ok(sss.isSecureURI(sss.HEADER_HSTS,
-                     Services.io.newURI("https://subdomain.five.example.com"),
-                     0));
+  ok(sss.isSecureHost(sss.HEADER_HSTS, "subdomain.five.example.com", 0));
 });
 
 function run_test() {
   // Ensure that signature verification is disabled to prevent interference
   // with basic certificate sync tests
   Services.prefs.setBoolPref("services.blocklist.signing.enforced", false);
 
   // Set up an HTTP Server