Bug 1350599 - Use guaranteed preloaded test domains instead of real domains in HSTS tests. r=keeler, a=test-only
authorCykesiopka <cykesiopka.bmo@gmail.com>
Wed, 05 Apr 2017 09:36:00 -0400
changeset 355580 0af73defbea26649fecd30d42976bad2d970117b
parent 355579 58467de2e53e94a8cdb29730e8ea47f7cb27a164
child 355581 014a36bb27d82273b9cbd624969cd587a3db3e94
push id7004
push userryanvm@gmail.com
push dateWed, 05 Apr 2017 21:54:49 +0000
treeherdermozilla-esr52@845da34e5bd8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, test-only
bugs1350599
milestone52.0.3
Bug 1350599 - Use guaranteed preloaded test domains instead of real domains in HSTS tests. r=keeler, a=test-only Some of our tests currently assume that certain real domains are HSTS preloaded. While most of the time these domains are in fact preloaded, this may change during periods of maintenance or other events. To avoid this, the changes here perform the following renames: bugzilla.mozilla.org -> includesubdomains.preloaded.test login.persona.org -> includesubdomains2.preloaded.test www.torproject.org -> noincludesubdomains.preloaded.test In addition, some tests that refer to mozilla.com (but don't depend on it being preloaded) are made to refer to example.com instead to avoid referring to real domains in tests. MozReview-Commit-ID: 3987moJnKGk
security/manager/ssl/tests/unit/sss_readstate_child_worker.js
security/manager/ssl/tests/unit/test_sss_readstate.js
security/manager/ssl/tests/unit/test_sss_readstate_child.js
security/manager/ssl/tests/unit/test_sss_readstate_empty.js
security/manager/ssl/tests/unit/test_sss_savestate.js
security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/manager/ssl/tests/unit/sss_readstate_child_worker.js
+++ b/security/manager/ssl/tests/unit/sss_readstate_child_worker.js
@@ -5,21 +5,21 @@ function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
 
   ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                              "expired.example.com", 0));
   ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                             "notexpired.example.com", 0));
   ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            "bugzilla.mozilla.org", 0));
+                            "includesubdomains.preloaded.test", 0));
   ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "sub.bugzilla.mozilla.org", 0));
+                             "sub.includesubdomains.preloaded.test", 0));
   ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                             "incsubdomain.example.com", 0));
   ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                             "sub.incsubdomain.example.com", 0));
   ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "login.persona.org", 0));
+                             "includesubdomains2.preloaded.test", 0));
   ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "sub.login.persona.org", 0));
+                             "sub.includesubdomains2.preloaded.test", 0));
   do_test_finished();
 }
--- a/security/manager/ssl/tests/unit/test_sss_readstate.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate.js
@@ -19,64 +19,64 @@ function checkStateRead(aSubject, aTopic
 
   equal(aData, SSS_STATE_FILE_NAME);
 
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                               "expired.example.com", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                              "notexpired.example.com", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", 0));
+                             "includesubdomains.preloaded.test", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "sub.bugzilla.mozilla.org", 0));
+                              "sub.includesubdomains.preloaded.test", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                              "incsubdomain.example.com", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                              "sub.incsubdomain.example.com", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "login.persona.org", 0));
+                              "includesubdomains2.preloaded.test", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "sub.login.persona.org", 0));
+                              "sub.includesubdomains2.preloaded.test", 0));
 
   // Clearing the data should make everything go back to default.
   gSSService.clearAll();
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                               "expired.example.com", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                               "notexpired.example.com", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", 0));
+                             "includesubdomains.preloaded.test", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "sub.bugzilla.mozilla.org", 0));
+                             "sub.includesubdomains.preloaded.test", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                               "incsubdomain.example.com", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                               "sub.incsubdomain.example.com", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "login.persona.org", 0));
+                             "includesubdomains2.preloaded.test", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "sub.login.persona.org", 0));
+                             "sub.includesubdomains2.preloaded.test", 0));
   do_test_finished();
 }
 
 function run_test() {
   let profileDir = do_get_profile();
   let stateFile = profileDir.clone();
   stateFile.append(SSS_STATE_FILE_NAME);
   // Assuming we're working with a clean slate, the file shouldn't exist
   // until we create it.
   ok(!stateFile.exists());
   let outputStream = FileUtils.openFileOutputStream(stateFile);
   let now = (new Date()).getTime();
   writeLine("expired.example.com:HSTS\t0\t0\t" + (now - 100000) + ",1,0\n", outputStream);
   writeLine("notexpired.example.com:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
   // This overrides an entry on the preload list.
-  writeLine("bugzilla.mozilla.org:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
+  writeLine("includesubdomains.preloaded.test:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
   writeLine("incsubdomain.example.com:HSTS\t0\t0\t" + (now + 100000) + ",1,1\n", outputStream);
   // This overrides an entry on the preload list.
-  writeLine("login.persona.org:HSTS\t0\t0\t0,2,0\n", outputStream);
+  writeLine("includesubdomains2.preloaded.test:HSTS\t0\t0\t0,2,0\n", outputStream);
   outputStream.close();
   Services.obs.addObserver(checkStateRead, "data-storage-ready", false);
   do_test_pending();
   gSSService = Cc["@mozilla.org/ssservice;1"]
                  .getService(Ci.nsISiteSecurityService);
   notEqual(gSSService, null);
 }
--- a/security/manager/ssl/tests/unit/test_sss_readstate_child.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_child.js
@@ -23,19 +23,19 @@ function run_test() {
   // Assuming we're working with a clean slate, the file shouldn't exist
   // until we create it.
   ok(!stateFile.exists());
   let outputStream = FileUtils.openFileOutputStream(stateFile);
   let now = (new Date()).getTime();
   writeLine("expired.example.com:HSTS\t0\t0\t" + (now - 100000) + ",1,0\n", outputStream);
   writeLine("notexpired.example.com:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
   // This overrides an entry on the preload list.
-  writeLine("bugzilla.mozilla.org:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
+  writeLine("includesubdomains.preloaded.test:HSTS\t0\t0\t" + (now + 100000) + ",1,0\n", outputStream);
   writeLine("incsubdomain.example.com:HSTS\t0\t0\t" + (now + 100000) + ",1,1\n", outputStream);
   // This overrides an entry on the preload list.
-  writeLine("login.persona.org:HSTS\t0\t0\t0,2,0\n", outputStream);
+  writeLine("includesubdomains2.preloaded.test:HSTS\t0\t0\t0,2,0\n", outputStream);
   outputStream.close();
   Services.obs.addObserver(start_test_in_child, "data-storage-ready", false);
   do_test_pending();
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   notEqual(SSService, null);
 }
--- a/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
@@ -7,19 +7,18 @@
 // file and see that the site security service doesn't fail when reading it.
 
 var gSSService = null;
 
 function checkStateRead(aSubject, aTopic, aData) {
   // nonexistent.example.com should never be an HSTS host
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                               "nonexistent.example.com", 0));
-  // bugzilla.mozilla.org is preloaded
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", 0));
+                             "includesubdomains.preloaded.test", 0));
   // notexpired.example.com is an HSTS host in a different test - we
   // want to make sure that test hasn't interfered with this one.
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                               "notexpired.example.com", 0));
   do_test_finished();
 }
 
 function run_test() {
--- a/security/manager/ssl/tests/unit/test_sss_savestate.js
+++ b/security/manager/ssl/tests/unit/test_sss_savestate.js
@@ -49,20 +49,20 @@ function checkStateWritten(aSubject, aTo
   // We can receive multiple data-storage-written events. In particular, we
   // may receive one where DataStorage wrote out data before we were done
   // processing all of our headers. In this case, the data may not be
   // as we expect. We only care about the final one being correct, however,
   // so we return and wait for the next event if things aren't as we expect.
   // sites[url][1] corresponds to SecurityPropertySet (if 1) and
   //                              SecurityPropertyUnset (if 0)
   // sites[url][2] corresponds to includeSubdomains
-  if (sites["bugzilla.mozilla.org:HSTS"][1] != 1) {
+  if (sites["includesubdomains.preloaded.test:HSTS"][1] != 1) {
     return;
   }
-  if (sites["bugzilla.mozilla.org:HSTS"][2] != 0) {
+  if (sites["includesubdomains.preloaded.test:HSTS"][2] != 0) {
     return;
   }
   if (sites["a.example.com:HSTS"][1] != 1) {
     return;
   }
   if (sites["a.example.com:HSTS"][2] != 1) {
     return;
   }
@@ -100,17 +100,17 @@ function run_test() {
   gProfileDir = do_get_profile();
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   // Put an HPKP entry
   SSService.setKeyPins("dynamic-pin.example.com", true,
                        new Date().getTime() + 1000000, 1,
                        [NON_ISSUED_KEY_HASH]);
 
-  let uris = [ Services.io.newURI("http://bugzilla.mozilla.org", null, null),
+  let uris = [ Services.io.newURI("http://includesubdomains.preloaded.test", null, null),
                Services.io.newURI("http://a.example.com", null, null),
                Services.io.newURI("http://b.example.com", null, null),
                Services.io.newURI("http://c.c.example.com", null, null),
                Services.io.newURI("http://d.example.com", null, null) ];
 
   for (let i = 0; i < 1000; i++) {
     let uriIndex = i % uris.length;
     // vary max-age
--- a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
@@ -1,13 +1,8 @@
-// This test attempts to use only domains that are likely to remain on the
-// preload list for a long time. Currently this includes bugzilla.mozilla.org
-// and login.persona.org because they are Mozilla properties and we are
-// invested in HSTS. Additionally, www.torproject.org was deemed likely to
-// continue to use HSTS.
 "use strict";
 
 var gSSService = Cc["@mozilla.org/ssservice;1"]
                    .getService(Ci.nsISiteSecurityService);
 
 function Observer() {}
 Observer.prototype = {
   observe: function(subject, topic, data) {
@@ -34,189 +29,189 @@ function run_test() {
   add_test(test_private_browsing2);
 
   run_next_test();
 }
 
 function test_part1() {
   // check that a host not in the list is not identified as an sts host
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "nonexistent.mozilla.com", 0));
+                              "nonexistent.example.com", 0));
 
   // check that an ancestor domain is not identified as an sts host
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, "com", 0));
 
   // check that the pref to toggle using the preload list works
   Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", false);
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "bugzilla.mozilla.org", 0));
+                              "includesubdomains.preloaded.test", 0));
   Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", true);
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", 0));
+                             "includesubdomains.preloaded.test", 0));
 
   // check that a subdomain is an sts host (includeSubdomains is set)
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "subdomain.bugzilla.mozilla.org", 0));
+                             "subdomain.includesubdomains.preloaded.test", 0));
 
   // check that another subdomain is an sts host (includeSubdomains is set)
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "a.b.c.def.bugzilla.mozilla.org", 0));
+                             "a.b.c.def.includesubdomains.preloaded.test", 0));
 
   // check that a subdomain is not an sts host (includeSubdomains is not set)
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "subdomain.www.torproject.org", 0));
+                              "subdomain.noincludesubdomains.preloaded.test", 0));
 
   // check that a host with a dot on the end won't break anything
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "notsts.nonexistent.mozilla.com.", 0));
+                              "notsts.nonexistent.example.com.", 0));
 
   // check that processing a header with max-age: 0 will remove a preloaded
   // site from the list
-  let uri = Services.io.newURI("http://bugzilla.mozilla.org", null, null);
+  let uri = Services.io.newURI("http://includesubdomains.preloaded.test", null, null);
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "bugzilla.mozilla.org", 0));
+                              "includesubdomains.preloaded.test", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "subdomain.bugzilla.mozilla.org", 0));
+                              "subdomain.includesubdomains.preloaded.test", 0));
   // check that processing another header (with max-age non-zero) will
   // re-enable a site's sts status
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1000", sslStatus, 0);
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", 0));
+                             "includesubdomains.preloaded.test", 0));
   // but this time include subdomains was not set, so test for that
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "subdomain.bugzilla.mozilla.org", 0));
+                              "subdomain.includesubdomains.preloaded.test", 0));
   gSSService.clearAll();
 
   // check that processing a header with max-age: 0 from a subdomain of a site
   // will not remove that (ancestor) site from the list
-  uri = Services.io.newURI("http://subdomain.www.torproject.org", null, null);
+  uri = Services.io.newURI("http://subdomain.noincludesubdomains.preloaded.test", null, null);
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "www.torproject.org", 0));
+                             "noincludesubdomains.preloaded.test", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "subdomain.www.torproject.org", 0));
+                              "subdomain.noincludesubdomains.preloaded.test", 0));
 
-  uri = Services.io.newURI("http://subdomain.bugzilla.mozilla.org", null, null);
+  uri = Services.io.newURI("http://subdomain.includesubdomains.preloaded.test", null, null);
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, 0);
   // we received a header with "max-age=0", so we have "no information"
-  // regarding the sts state of subdomain.bugzilla.mozilla.org specifically,
+  // regarding the sts state of subdomain.includesubdomains.preloaded.test specifically,
   // but it is actually still an STS host, because of the preloaded
-  // bugzilla.mozilla.org including subdomains.
+  // includesubdomains.preloaded.test including subdomains.
   // Here's a drawing:
-  // |-- bugzilla.mozilla.org (in preload list, includes subdomains) IS sts host
-  //     |-- subdomain.bugzilla.mozilla.org                          IS sts host
-  //     |   `-- another.subdomain.bugzilla.mozilla.org              IS sts host
-  //     `-- sibling.bugzilla.mozilla.org                            IS sts host
+  // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+  //     |-- subdomain.includesubdomains.preloaded.test                          IS sts host
+  //     |   `-- another.subdomain.includesubdomains.preloaded.test              IS sts host
+  //     `-- sibling.includesubdomains.preloaded.test                            IS sts host
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", 0));
+                             "includesubdomains.preloaded.test", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "subdomain.bugzilla.mozilla.org", 0));
+                             "subdomain.includesubdomains.preloaded.test", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "sibling.bugzilla.mozilla.org", 0));
+                             "sibling.includesubdomains.preloaded.test", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "another.subdomain.bugzilla.mozilla.org", 0));
+                             "another.subdomain.includesubdomains.preloaded.test", 0));
 
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1000", sslStatus, 0);
   // Here's what we have now:
-  // |-- bugzilla.mozilla.org (in preload list, includes subdomains) IS sts host
-  //     |-- subdomain.bugzilla.mozilla.org (include subdomains is false) IS sts host
-  //     |   `-- another.subdomain.bugzilla.mozilla.org              IS NOT sts host
-  //     `-- sibling.bugzilla.mozilla.org                            IS sts host
+  // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+  //     |-- subdomain.includesubdomains.preloaded.test (include subdomains is false) IS sts host
+  //     |   `-- another.subdomain.includesubdomains.preloaded.test              IS NOT sts host
+  //     `-- sibling.includesubdomains.preloaded.test                            IS sts host
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "subdomain.bugzilla.mozilla.org", 0));
+                             "subdomain.includesubdomains.preloaded.test", 0));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "sibling.bugzilla.mozilla.org", 0));
+                             "sibling.includesubdomains.preloaded.test", 0));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "another.subdomain.bugzilla.mozilla.org", 0));
+                              "another.subdomain.includesubdomains.preloaded.test", 0));
 
   // Test that an expired non-private browsing entry results in correctly
   // identifying a host that is on the preload list as no longer sts.
   // (This happens when we're in regular browsing mode, we get a header from
   // a site on the preload list, and that header later expires. We need to
   // then treat that host as no longer an sts host.)
   // (sanity check first - this should be in the preload list)
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "login.persona.org", 0));
-  uri = Services.io.newURI("http://login.persona.org", null, null);
+                             "includesubdomains2.preloaded.test", 0));
+  uri = Services.io.newURI("http://includesubdomains2.preloaded.test", null, null);
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1", sslStatus, 0);
   do_timeout(1250, function() {
     ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                                "login.persona.org", 0));
+                                "includesubdomains2.preloaded.test", 0));
     run_next_test();
   });
 }
 
 const IS_PRIVATE = Ci.nsISocketProvider.NO_PERMANENT_STORAGE;
 
 function test_private_browsing1() {
   gSSService.clearAll();
-  // sanity - bugzilla.mozilla.org is preloaded, includeSubdomains set
+  // sanity - includesubdomains.preloaded.test is preloaded, includeSubdomains set
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", IS_PRIVATE));
+                             "includesubdomains.preloaded.test", IS_PRIVATE));
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "a.b.c.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
+                             "a.b.c.subdomain.includesubdomains.preloaded.test", IS_PRIVATE));
 
-  let uri = Services.io.newURI("http://bugzilla.mozilla.org", null, null);
+  let uri = Services.io.newURI("http://includesubdomains.preloaded.test", null, null);
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, IS_PRIVATE);
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "bugzilla.mozilla.org", IS_PRIVATE));
+                              "includesubdomains.preloaded.test", IS_PRIVATE));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "a.b.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
+                              "a.b.subdomain.includesubdomains.preloaded.test", IS_PRIVATE));
 
   // check adding it back in
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1000", sslStatus, IS_PRIVATE);
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", IS_PRIVATE));
+                             "includesubdomains.preloaded.test", IS_PRIVATE));
   // but no includeSubdomains this time
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "b.subdomain.bugzilla.mozilla.org", IS_PRIVATE));
+                              "b.subdomain.includesubdomains.preloaded.test", IS_PRIVATE));
 
   // do the hokey-pokey...
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=0", sslStatus, IS_PRIVATE);
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "bugzilla.mozilla.org", IS_PRIVATE));
+                              "includesubdomains.preloaded.test", IS_PRIVATE));
   ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                              "subdomain.bugzilla.mozilla.org", IS_PRIVATE));
+                              "subdomain.includesubdomains.preloaded.test", IS_PRIVATE));
 
   // Test that an expired private browsing entry results in correctly
   // identifying a host that is on the preload list as no longer sts.
   // (This happens when we're in private browsing mode, we get a header from
   // a site on the preload list, and that header later expires. We need to
   // then treat that host as no longer an sts host.)
   // (sanity check first - this should be in the preload list)
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "login.persona.org", IS_PRIVATE));
-  uri = Services.io.newURI("http://login.persona.org", null, null);
+                             "includesubdomains2.preloaded.test", IS_PRIVATE));
+  uri = Services.io.newURI("http://includesubdomains2.preloaded.test", null, null);
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                            "max-age=1", sslStatus, IS_PRIVATE);
   do_timeout(1250, function() {
     ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                                "login.persona.org", IS_PRIVATE));
+                                "includesubdomains2.preloaded.test", IS_PRIVATE));
     // Simulate leaving private browsing mode
     Services.obs.notifyObservers(null, "last-pb-context-exited", null);
   });
 }
 
 function test_private_browsing2() {
   // if this test gets this far, it means there's a private browsing service
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", 0));
-  // the bugzilla.mozilla.org entry has includeSubdomains set
+                             "includesubdomains.preloaded.test", 0));
+  // the includesubdomains.preloaded.test entry has includeSubdomains set
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "subdomain.bugzilla.mozilla.org", 0));
+                             "subdomain.includesubdomains.preloaded.test", 0));
 
   // Now that we're out of private browsing mode, we need to make sure
   // we've "forgotten" that we "forgot" this site's sts status.
   ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "login.persona.org", 0));
+                             "includesubdomains2.preloaded.test", 0));
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
@@ -1,25 +1,23 @@
-// This test uses bugzilla.mozilla.org given that it is likely to remain
-// on the preload list for a long time.
 "use strict";
 
 function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
 
   // check that a host on the preload list is identified as an sts host
   ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            "bugzilla.mozilla.org", 0));
+                            "includesubdomains.preloaded.test", 0));
 
   // now simulate that it's 19 weeks later than it actually is
   let offsetSeconds = 19 * 7 * 24 * 60 * 60;
   Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
 
   // check that the preloaded host is no longer considered sts
   ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                             "bugzilla.mozilla.org", 0));
+                             "includesubdomains.preloaded.test", 0));
 
   // just make sure we can get everything back to normal
   Services.prefs.clearUserPref("test.currentTimeOffsetSeconds");
   ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
-                            "bugzilla.mozilla.org", 0));
+                            "includesubdomains.preloaded.test", 0));
 }
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -122,32 +122,28 @@ requesttimeoutfactor = 2
 [test_session_resumption.js]
 run-sequentially = hardcoded ports
 [test_signed_apps.js]
 [test_signed_apps-marketplace.js]
 [test_signed_dir.js]
 tags = addons psm
 [test_sss_eviction.js]
 [test_sss_readstate.js]
-skip-if = true # bug 1350599
 [test_sss_readstate_child.js]
 support-files = sss_readstate_child_worker.js
 # bug 1124289 - run_test_in_child violates the sandbox on android
 skip-if = toolkit == 'android'
 [test_sss_readstate_empty.js]
-skip-if = true # bug 1350599
 [test_sss_readstate_garbage.js]
 [test_sss_readstate_huge.js]
 [test_sss_savestate.js]
 [test_startcom_wosign.js]
 [test_sts_fqdn.js]
 [test_sts_holepunch.js]
 [test_sts_ipv4_ipv6.js]
 [test_sts_preloadlist_perwindowpb.js]
-skip-if = true # bug 1350599
 [test_sts_preloadlist_selfdestruct.js]
-skip-if = true # bug 1350599
 [test_validity.js]
 run-sequentially = hardcoded ports
 [test_x509.js]
 
 # The TLS error reporting functionality lives in /toolkit but needs tlsserver
 [test_toolkit_securityreporter.js]