Merge mozilla-central to autoland
authorarthur.iakab <aiakab@mozilla.com>
Sun, 11 Mar 2018 23:49:17 +0200
changeset 462574 74516fae34bdeba845d62966af43115de3f6e81d
parent 462573 48c4d99016ec84efa9298321ae1e692a9b4f3f8d (current diff)
parent 462570 a6f5fb18e6bcc9bffe4a0209a22d8a25510936be (diff)
child 462575 dce4c11dc650266c1b54eb8b4389bf87067034f8
push id1683
push usersfraser@mozilla.com
push dateThu, 26 Apr 2018 16:43:40 +0000
treeherdermozilla-release@5af6cb21869d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge mozilla-central to autoland
dom/webauthn/tests/cbor/cbor.js
--- a/browser/base/content/browser.css
+++ b/browser/base/content/browser.css
@@ -1362,16 +1362,20 @@ toolbarpaletteitem[place="palette"][hidd
 .popup-notification-invalid-input {
   box-shadow: 0 0 1.5px 1px red;
 }
 
 .popup-notification-invalid-input[focused] {
   box-shadow: 0 0 2px 2px rgba(255,0,0,0.4);
 }
 
+.popup-notification-description[popupid=webauthn-prompt-register-direct] {
+  white-space: pre-line;
+}
+
 .dragfeedback-tab {
   -moz-appearance: none;
   opacity: 0.65;
   -moz-window-shadow: none;
 }
 
 /* Page action panel */
 #pageAction-panel-sendToDevice-subview-body:not([state="notready"]) > #pageAction-panel-sendToDevice-notReady,
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -1462,16 +1462,17 @@ var gBrowserInit = {
     Services.obs.addObserver(gXPInstallObserver, "addon-install-failed");
     Services.obs.addObserver(gXPInstallObserver, "addon-install-confirmation");
     Services.obs.addObserver(gXPInstallObserver, "addon-install-complete");
     window.messageManager.addMessageListener("Browser:URIFixup", gKeywordURIFixup);
 
     BrowserOffline.init();
     IndexedDBPromptHelper.init();
     CanvasPermissionPromptHelper.init();
+    WebAuthnPromptHelper.init();
 
     // Initialize the full zoom setting.
     // We do this before the session restore service gets initialized so we can
     // apply full zoom settings to tabs restored by the session restore service.
     FullZoom.init();
     PanelUI.init();
 
     UpdateUrlbarSearchSplitterState();
@@ -1932,16 +1933,17 @@ var gBrowserInit = {
       }
 
       if (AppConstants.isPlatformAndVersionAtLeast("win", "10")) {
         MenuTouchModeObserver.uninit();
       }
       BrowserOffline.uninit();
       IndexedDBPromptHelper.uninit();
       CanvasPermissionPromptHelper.uninit();
+      WebAuthnPromptHelper.uninit();
       PanelUI.uninit();
       AutoShowBookmarksToolbar.uninit();
     }
 
     // Final window teardown, do this last.
     gBrowser.destroy();
     window.XULBrowserWindow = null;
     window.QueryInterface(Ci.nsIInterfaceRequestor)
@@ -6764,16 +6766,143 @@ var CanvasPermissionPromptHelper = {
       checkbox,
       name: uri.asciiHost,
     };
     PopupNotifications.show(browser, aTopic, message, this._notificationIcon,
                             mainAction, secondaryActions, options);
   }
 };
 
+var WebAuthnPromptHelper = {
+  _icon: "default-notification-icon",
+  _topic: "webauthn-prompt",
+
+  // The current notification, if any. The U2F manager is a singleton, we will
+  // never allow more than one active request. And thus we'll never have more
+  // than one notification either.
+  _current: null,
+
+  // The current transaction ID. Will be checked when we're notified of the
+  // cancellation of an ongoing WebAuthhn request.
+  _tid: 0,
+
+  init() {
+    Services.obs.addObserver(this, this._topic);
+  },
+
+  uninit() {
+    Services.obs.removeObserver(this, this._topic);
+  },
+
+  observe(aSubject, aTopic, aData) {
+    let mgr = aSubject.QueryInterface(Ci.nsIU2FTokenManager);
+    let data = JSON.parse(aData);
+
+    if (data.action == "register") {
+      this.register(mgr, data);
+    } else if (data.action == "register-direct") {
+      this.registerDirect(mgr, data);
+    } else if (data.action == "sign") {
+      this.sign(mgr, data);
+    } else if (data.action == "cancel") {
+      this.cancel(data);
+    }
+  },
+
+  register(mgr, {origin, tid}) {
+    let mainAction = this.buildCancelAction(mgr, tid);
+    this.show(tid, "register", "webauthn.registerPrompt", origin, mainAction);
+  },
+
+  registerDirect(mgr, {origin, tid}) {
+    let mainAction = this.buildProceedAction(mgr, tid);
+    let secondaryActions = [this.buildCancelAction(mgr, tid)];
+
+    let learnMoreURL =
+      Services.urlFormatter.formatURLPref("app.support.baseURL") +
+      "webauthn-direct-attestation";
+
+    let options = {
+      learnMoreURL,
+      checkbox: {
+        label: gNavigatorBundle.getString("webauthn.anonymize")
+      }
+    };
+
+    this.show(tid, "register-direct", "webauthn.registerDirectPrompt",
+              origin, mainAction, secondaryActions, options);
+  },
+
+  sign(mgr, {origin, tid}) {
+    let mainAction = this.buildCancelAction(mgr, tid);
+    this.show(tid, "sign", "webauthn.signPrompt", origin, mainAction);
+  },
+
+  show(tid, id, stringId, origin, mainAction, secondaryActions = [], options = {}) {
+    this.reset();
+
+    try {
+      origin = Services.io.newURI(origin).asciiHost;
+    } catch (e) {
+      /* Might fail for arbitrary U2F RP IDs. */
+    }
+
+    let brandShortName =
+      document.getElementById("bundle_brand").getString("brandShortName");
+    let message =
+      gNavigatorBundle.getFormattedString(stringId, ["<>", brandShortName], 1);
+
+    options.name = origin;
+    options.hideClose = true;
+    options.eventCallback = event => {
+      if (event == "removed") {
+        this._current = null;
+        this._tid = 0;
+      }
+    };
+
+    this._tid = tid;
+    this._current = PopupNotifications.show(
+      gBrowser.selectedBrowser, `webauthn-prompt-${id}`, message,
+      this._icon, mainAction, secondaryActions, options);
+  },
+
+  cancel({tid}) {
+    if (this._tid == tid) {
+      this.reset();
+    }
+  },
+
+  reset() {
+    if (this._current) {
+      this._current.remove();
+    }
+  },
+
+  buildProceedAction(mgr, tid) {
+    return {
+      label: gNavigatorBundle.getString("webauthn.proceed"),
+      accessKey: gNavigatorBundle.getString("webauthn.proceed.accesskey"),
+      callback(state) {
+        mgr.resumeRegister(tid, !state.checkboxChecked);
+      }
+    };
+  },
+
+  buildCancelAction(mgr, tid) {
+    return {
+      label: gNavigatorBundle.getString("webauthn.cancel"),
+      accessKey: gNavigatorBundle.getString("webauthn.cancel.accesskey"),
+      callback() {
+        mgr.cancel(tid);
+      }
+    };
+  },
+};
+
 function CanCloseWindow() {
   // Avoid redundant calls to canClose from showing multiple
   // PermitUnload dialogs.
   if (Services.startup.shuttingDown || window.skipNextCanClose) {
     return true;
   }
 
   let timedOutProcesses = new WeakSet();
--- a/browser/installer/package-manifest.in
+++ b/browser/installer/package-manifest.in
@@ -211,16 +211,17 @@
 @RESPATH@/components/dom_payments.xpt
 @RESPATH@/components/dom_power.xpt
 @RESPATH@/components/dom_push.xpt
 @RESPATH@/components/dom_quota.xpt
 @RESPATH@/components/dom_range.xpt
 @RESPATH@/components/dom_security.xpt
 @RESPATH@/components/dom_sidebar.xpt
 @RESPATH@/components/dom_storage.xpt
+@RESPATH@/components/dom_webauthn.xpt
 #ifdef MOZ_WEBSPEECH
 @RESPATH@/components/dom_webspeechrecognition.xpt
 #endif
 @RESPATH@/components/dom_workers.xpt
 @RESPATH@/components/dom_xul.xpt
 @RESPATH@/components/dom_presentation.xpt
 @RESPATH@/components/downloads.xpt
 @RESPATH@/components/editor.xpt
--- a/browser/locales/en-US/chrome/browser/browser.properties
+++ b/browser/locales/en-US/chrome/browser/browser.properties
@@ -499,16 +499,38 @@ offlineApps.manageUsageAccessKey=S
 # LOCALIZATION NOTE (canvas.siteprompt): %S is hostname
 canvas.siteprompt=Will you allow %S to use your HTML5 canvas image data? This may be used to uniquely identify your computer.
 canvas.notAllow=Don’t Allow
 canvas.notAllow.accesskey=n
 canvas.allow=Allow Data Access
 canvas.allow.accesskey=A
 canvas.remember=Always remember my decision
 
+# WebAuthn prompts
+# LOCALIZATION NOTE (webauthn.registerPrompt): %S is hostname
+webauthn.registerPrompt=%S wants to register an account with one of your security tokens. You can connect and authorize one now, or cancel.
+# LOCALIZATION NOTE (webauthn.registerDirectPrompt):
+# %1$S is hostname. %2$S is brandShortName.
+# The website is asking for extended information about your
+# hardware authenticator that shouldn't be generally necessary. Permitting
+# this is safe if you only use one account at this website. If you have
+# multiple accounts at this website, and you use the same hardware
+# authenticator, then the website could link those accounts together.
+# And this is true even if you use a different profile / browser (or even Tor
+# Browser). To avoid this, you should use different hardware authenticators
+# for different accounts on this website.
+webauthn.registerDirectPrompt=%1$S is requesting extended information about your authenticator, which may affect your privacy.\n\n%2$S can anonymize this for you, but the website might decline this authenticator. If declined, you can try again.
+# LOCALIZATION NOTE (webauthn.signPrompt): %S is hostname
+webauthn.signPrompt=%S wants to authenticate you using a registered security token. You can connect and authorize one now, or cancel.
+webauthn.cancel=Cancel
+webauthn.cancel.accesskey=c
+webauthn.proceed=Proceed
+webauthn.proceed.accesskey=p
+webauthn.anonymize=Anonymize anyway
+
 # Spoof Accept-Language prompt
 privacy.spoof_english=Changing your language setting to English will make you more difficult to identify and enhance your privacy. Do you want to request English language versions of web pages?
 
 identity.identified.verifier=Verified by: %S
 identity.identified.verified_by_you=You have added a security exception for this site.
 identity.identified.state_and_country=%S, %S
 
 # LOCALIZATION NOTE (identity.notSecure.label):
--- a/dom/ipc/ContentPrefs.cpp
+++ b/dom/ipc/ContentPrefs.cpp
@@ -126,16 +126,17 @@ const char* mozilla::dom::ContentPrefs::
   "javascript.options.ion.unsafe_eager_compilation",
   "javascript.options.jit.full_debug_checks",
   "javascript.options.native_regexp",
   "javascript.options.parallel_parsing",
   "javascript.options.shared_memory",
   "javascript.options.spectre.index_masking",
   "javascript.options.spectre.jit_to_C++_calls",
   "javascript.options.spectre.object_mitigations.barriers",
+  "javascript.options.spectre.object_mitigations.misc",
   "javascript.options.spectre.string_mitigations",
   "javascript.options.spectre.value_masking",
   "javascript.options.streams",
   "javascript.options.strict",
   "javascript.options.strict.debug",
   "javascript.options.throw_on_asmjs_validation_failure",
   "javascript.options.throw_on_debuggee_would_run",
   "javascript.options.wasm",
--- a/dom/svg/SVGContentUtils.cpp
+++ b/dom/svg/SVGContentUtils.cpp
@@ -77,17 +77,17 @@ GetStrokeDashData(SVGContentUtils::AutoS
                   const nsStyleSVG* aStyleSVG,
                   SVGContextPaint* aContextPaint)
 {
   size_t dashArrayLength;
   Float totalLengthOfDashes = 0.0, totalLengthOfGaps = 0.0;
   Float pathScale = 1.0;
 
   if (aContextPaint && aStyleSVG->StrokeDasharrayFromObject()) {
-    const FallibleTArray<gfxFloat>& dashSrc = aContextPaint->GetStrokeDashArray();
+    const FallibleTArray<Float>& dashSrc = aContextPaint->GetStrokeDashArray();
     dashArrayLength = dashSrc.Length();
     if (dashArrayLength <= 0) {
       return eContinuousStroke;
     }
     Float* dashPattern = aStrokeOptions->InitDashPattern(dashArrayLength);
     if (!dashPattern) {
       return eContinuousStroke;
     }
--- a/dom/u2f/U2F.cpp
+++ b/dom/u2f/U2F.cpp
@@ -337,22 +337,24 @@ U2F::Register(const nsAString& aAppId,
 
   // Default values for U2F.
   WebAuthnAuthenticatorSelection authSelection(false /* requireResidentKey */,
                                                false /* requireUserVerification */,
                                                false /* requirePlatformAttachment */);
 
   uint32_t adjustedTimeoutMillis = AdjustedTimeoutMillis(opt_aTimeoutSeconds);
 
-  WebAuthnMakeCredentialInfo info(rpIdHash,
+  WebAuthnMakeCredentialInfo info(mOrigin,
+                                  rpIdHash,
                                   clientDataHash,
                                   adjustedTimeoutMillis,
                                   excludeList,
                                   extensions,
-                                  authSelection);
+                                  authSelection,
+                                  false /* RequestDirectAttestation */);
 
   MOZ_ASSERT(mTransaction.isNothing());
   mTransaction = Some(U2FTransaction(clientData, Move(AsVariant(callback))));
   mChild->SendRequestRegister(mTransaction.ref().mId, info);
 }
 
 void
 U2F::FinishMakeCredential(const uint64_t& aTransactionId,
@@ -478,17 +480,18 @@ U2F::Sign(const nsAString& aAppId,
 
   ListenForVisibilityEvents();
 
   // Always blank for U2F
   nsTArray<WebAuthnExtension> extensions;
 
   uint32_t adjustedTimeoutMillis = AdjustedTimeoutMillis(opt_aTimeoutSeconds);
 
-  WebAuthnGetAssertionInfo info(rpIdHash,
+  WebAuthnGetAssertionInfo info(mOrigin,
+                                rpIdHash,
                                 clientDataHash,
                                 adjustedTimeoutMillis,
                                 permittedList,
                                 false, /* requireUserVerification */
                                 extensions);
 
   MOZ_ASSERT(mTransaction.isNothing());
   mTransaction = Some(U2FTransaction(clientData, Move(AsVariant(callback))));
--- a/dom/webauthn/PWebAuthnTransaction.ipdl
+++ b/dom/webauthn/PWebAuthnTransaction.ipdl
@@ -42,29 +42,33 @@ struct WebAuthnExtensionResultAppId {
   bool AppId;
 };
 
 union WebAuthnExtensionResult {
   WebAuthnExtensionResultAppId;
 };
 
 struct WebAuthnMakeCredentialInfo {
+  nsString Origin;
   uint8_t[] RpIdHash;
   uint8_t[] ClientDataHash;
   uint32_t TimeoutMS;
   WebAuthnScopedCredential[] ExcludeList;
   WebAuthnExtension[] Extensions;
   WebAuthnAuthenticatorSelection AuthenticatorSelection;
+  bool RequestDirectAttestation;
 };
 
 struct WebAuthnMakeCredentialResult {
   uint8_t[] RegBuffer;
+  bool DirectAttestationPermitted;
 };
 
 struct WebAuthnGetAssertionInfo {
+  nsString Origin;
   uint8_t[] RpIdHash;
   uint8_t[] ClientDataHash;
   uint32_t TimeoutMS;
   WebAuthnScopedCredential[] AllowList;
   bool RequireUserVerification;
   WebAuthnExtension[] Extensions;
 };
 
--- a/dom/webauthn/U2FHIDTokenManager.cpp
+++ b/dom/webauthn/U2FHIDTokenManager.cpp
@@ -219,17 +219,19 @@ U2FHIDTokenManager::HandleRegisterResult
   MOZ_ASSERT(!mRegisterPromise.IsEmpty());
 
   nsTArray<uint8_t> registration;
   if (!aResult->CopyRegistration(registration)) {
     mRegisterPromise.Reject(NS_ERROR_DOM_UNKNOWN_ERR, __func__);
     return;
   }
 
-  WebAuthnMakeCredentialResult result(registration);
+  // Will be set by the U2FTokenManager.
+  bool directAttestationPermitted = false;
+  WebAuthnMakeCredentialResult result(registration, directAttestationPermitted);
   mRegisterPromise.Resolve(Move(result), __func__);
 }
 
 void
 U2FHIDTokenManager::HandleSignResult(UniquePtr<U2FResult>&& aResult)
 {
   mozilla::ipc::AssertIsOnBackgroundThread();
 
--- a/dom/webauthn/U2FSoftTokenManager.cpp
+++ b/dom/webauthn/U2FSoftTokenManager.cpp
@@ -683,17 +683,20 @@ U2FSoftTokenManager::Register(const WebA
   }
   registrationBuf.AppendElement(0x05, mozilla::fallible);
   registrationBuf.AppendSECItem(pubKey->u.ec.publicValue);
   registrationBuf.AppendElement(keyHandleItem->len, mozilla::fallible);
   registrationBuf.AppendSECItem(keyHandleItem.get());
   registrationBuf.AppendSECItem(attestCert.get()->derCert);
   registrationBuf.AppendSECItem(signatureItem);
 
-  WebAuthnMakeCredentialResult result((nsTArray<uint8_t>(registrationBuf)));
+  // Will be set by the U2FTokenManager.
+  bool directAttestationPermitted = false;
+  WebAuthnMakeCredentialResult result((nsTArray<uint8_t>(registrationBuf)),
+                                      directAttestationPermitted);
   return U2FRegisterPromise::CreateAndResolve(Move(result), __func__);
 }
 
 bool
 U2FSoftTokenManager::FindRegisteredKeyHandle(const nsTArray<nsTArray<uint8_t>>& aAppIds,
                                              const nsTArray<WebAuthnScopedCredential>& aCredentials,
                                              /*out*/ nsTArray<uint8_t>& aKeyHandle,
                                              /*out*/ nsTArray<uint8_t>& aAppId)
--- a/dom/webauthn/U2FTokenManager.cpp
+++ b/dom/webauthn/U2FTokenManager.cpp
@@ -6,45 +6,59 @@
 
 #include "mozilla/dom/U2FTokenManager.h"
 #include "mozilla/dom/U2FTokenTransport.h"
 #include "mozilla/dom/U2FHIDTokenManager.h"
 #include "mozilla/dom/U2FSoftTokenManager.h"
 #include "mozilla/dom/PWebAuthnTransactionParent.h"
 #include "mozilla/MozPromise.h"
 #include "mozilla/dom/WebAuthnUtil.h"
+#include "mozilla/ipc/BackgroundParent.h"
 #include "mozilla/ClearOnShutdown.h"
 #include "mozilla/Unused.h"
 #include "hasht.h"
 #include "nsICryptoHash.h"
+#include "nsTextFormatter.h"
 #include "pkix/Input.h"
 #include "pkixutil.h"
 
 // Not named "security.webauth.u2f_softtoken_counter" because setting that
 // name causes the window.u2f object to disappear until preferences get
 // reloaded, as its pref is a substring!
 #define PREF_U2F_NSSTOKEN_COUNTER "security.webauth.softtoken_counter"
 #define PREF_WEBAUTHN_SOFTTOKEN_ENABLED "security.webauth.webauthn_enable_softtoken"
 #define PREF_WEBAUTHN_USBTOKEN_ENABLED "security.webauth.webauthn_enable_usbtoken"
+#define PREF_WEBAUTHN_ALLOW_DIRECT_ATTESTATION "security.webauth.webauthn_testing_allow_direct_attestation"
 
 namespace mozilla {
 namespace dom {
 
 /***********************************************************************
  * Statics
  **********************************************************************/
 
 class U2FPrefManager;
 
 namespace {
 static mozilla::LazyLogModule gU2FTokenManagerLog("u2fkeymanager");
 StaticRefPtr<U2FTokenManager> gU2FTokenManager;
 StaticRefPtr<U2FPrefManager> gPrefManager;
+static nsIThread* gBackgroundThread;
 }
 
+// Data for WebAuthn UI prompt notifications.
+static const char16_t kRegisterPromptNotifcation[] =
+  u"{\"action\":\"register\",\"tid\":%llu,\"origin\":\"%s\"}";
+static const char16_t kRegisterDirectPromptNotifcation[] =
+  u"{\"action\":\"register-direct\",\"tid\":%llu,\"origin\":\"%s\"}";
+static const char16_t kSignPromptNotifcation[] =
+  u"{\"action\":\"sign\",\"tid\":%llu,\"origin\":\"%s\"}";
+static const char16_t kCancelPromptNotifcation[] =
+  u"{\"action\":\"cancel\",\"tid\":%llu}";
+
 class U2FPrefManager final : public nsIObserver
 {
 private:
   U2FPrefManager() :
     mPrefMutex("U2FPrefManager Mutex")
   {
     UpdateValues();
   }
@@ -56,16 +70,17 @@ public:
   static U2FPrefManager* GetOrCreate()
   {
     MOZ_ASSERT(NS_IsMainThread());
     if (!gPrefManager) {
       gPrefManager = new U2FPrefManager();
       Preferences::AddStrongObserver(gPrefManager, PREF_WEBAUTHN_SOFTTOKEN_ENABLED);
       Preferences::AddStrongObserver(gPrefManager, PREF_U2F_NSSTOKEN_COUNTER);
       Preferences::AddStrongObserver(gPrefManager, PREF_WEBAUTHN_USBTOKEN_ENABLED);
+      Preferences::AddStrongObserver(gPrefManager, PREF_WEBAUTHN_ALLOW_DIRECT_ATTESTATION);
       ClearOnShutdown(&gPrefManager, ShutdownPhase::ShutdownThreads);
     }
     return gPrefManager;
   }
 
   static U2FPrefManager* Get()
   {
     return gPrefManager;
@@ -84,61 +99,66 @@ public:
   }
 
   bool GetUsbTokenEnabled()
   {
     MutexAutoLock lock(mPrefMutex);
     return mUsbTokenEnabled;
   }
 
+  bool GetAllowDirectAttestationForTesting()
+  {
+    MutexAutoLock lock(mPrefMutex);
+    return mAllowDirectAttestation;
+  }
+
   NS_IMETHODIMP
   Observe(nsISupports* aSubject,
           const char* aTopic,
           const char16_t* aData) override
   {
     UpdateValues();
     return NS_OK;
   }
 private:
   void UpdateValues() {
     MOZ_ASSERT(NS_IsMainThread());
     MutexAutoLock lock(mPrefMutex);
     mSoftTokenEnabled = Preferences::GetBool(PREF_WEBAUTHN_SOFTTOKEN_ENABLED);
     mSoftTokenCounter = Preferences::GetUint(PREF_U2F_NSSTOKEN_COUNTER);
     mUsbTokenEnabled = Preferences::GetBool(PREF_WEBAUTHN_USBTOKEN_ENABLED);
+    mAllowDirectAttestation = Preferences::GetBool(PREF_WEBAUTHN_ALLOW_DIRECT_ATTESTATION);
   }
 
   Mutex mPrefMutex;
   bool mSoftTokenEnabled;
   int mSoftTokenCounter;
   bool mUsbTokenEnabled;
+  bool mAllowDirectAttestation;
 };
 
 NS_IMPL_ISUPPORTS(U2FPrefManager, nsIObserver);
 
 /***********************************************************************
  * U2FManager Implementation
  **********************************************************************/
 
+NS_IMPL_ISUPPORTS(U2FTokenManager, nsIU2FTokenManager);
+
 U2FTokenManager::U2FTokenManager()
   : mTransactionParent(nullptr)
   , mLastTransactionId(0)
 {
   MOZ_ASSERT(XRE_IsParentProcess());
   // Create on the main thread to make sure ClearOnShutdown() works.
   MOZ_ASSERT(NS_IsMainThread());
   // Create the preference manager while we're initializing.
   U2FPrefManager::GetOrCreate();
 }
 
-U2FTokenManager::~U2FTokenManager()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-}
-
 //static
 void
 U2FTokenManager::Initialize()
 {
   if (!XRE_IsParentProcess()) {
     return;
   }
   MOZ_ASSERT(NS_IsMainThread());
@@ -173,38 +193,85 @@ U2FTokenManager::MaybeClearTransaction(P
   if (mTransactionParent == aParent) {
     ClearTransaction();
   }
 }
 
 void
 U2FTokenManager::ClearTransaction()
 {
+  if (mLastTransactionId > 0) {
+    // Remove any prompts we might be showing for the current transaction.
+    SendPromptNotification(kCancelPromptNotifcation, mLastTransactionId);
+  }
+
   mTransactionParent = nullptr;
+
   // Drop managers at the end of all transactions
   if (mTokenManagerImpl) {
     mTokenManagerImpl->Drop();
     mTokenManagerImpl = nullptr;
   }
+
   // Forget promises, if necessary.
   mRegisterPromise.DisconnectIfExists();
   mSignPromise.DisconnectIfExists();
+
   // Clear transaction id.
   mLastTransactionId = 0;
+
+  // Forget any pending registration.
+  mPendingRegisterInfo.reset();
+}
+
+template<typename ...T> void
+U2FTokenManager::SendPromptNotification(const char16_t* aFormat, T... aArgs)
+{
+  mozilla::ipc::AssertIsOnBackgroundThread();
+
+  nsAutoString json;
+  nsTextFormatter::ssprintf(json, aFormat, aArgs...);
+
+  nsCOMPtr<nsIRunnable> r(NewRunnableMethod<nsString>(
+      "U2FTokenManager::RunSendPromptNotification", this,
+      &U2FTokenManager::RunSendPromptNotification, json));
+
+  MOZ_ALWAYS_SUCCEEDS(
+    GetMainThreadEventTarget()->Dispatch(r.forget(), NS_DISPATCH_NORMAL));
+}
+
+void
+U2FTokenManager::RunSendPromptNotification(nsString aJSON)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+
+  nsCOMPtr<nsIObserverService> os = services::GetObserverService();
+  if (NS_WARN_IF(!os)) {
+    return;
+  }
+
+  nsCOMPtr<nsIU2FTokenManager> self = do_QueryInterface(this);
+  MOZ_ALWAYS_SUCCEEDS(os->NotifyObservers(self, "webauthn-prompt", aJSON.get()));
 }
 
 RefPtr<U2FTokenTransport>
 U2FTokenManager::GetTokenManagerImpl()
 {
   MOZ_ASSERT(U2FPrefManager::Get());
+  mozilla::ipc::AssertIsOnBackgroundThread();
 
   if (mTokenManagerImpl) {
     return mTokenManagerImpl;
   }
 
+  if (!gBackgroundThread) {
+    gBackgroundThread = NS_GetCurrentThread();
+    MOZ_ASSERT(gBackgroundThread, "This should never be null!");
+  }
+
   auto pm = U2FPrefManager::Get();
 
   // Prefer the HW token, even if the softtoken is enabled too.
   // We currently don't support soft and USB tokens enabled at the
   // same time as the softtoken would always win the race to register.
   // We could support it for signing though...
   if (pm->GetUsbTokenEnabled()) {
     return new U2FHIDTokenManager();
@@ -241,23 +308,60 @@ U2FTokenManager::Register(PWebAuthnTrans
   // UnknownError and terminate the operation.
 
   if ((aTransactionInfo.RpIdHash().Length() != SHA256_LENGTH) ||
       (aTransactionInfo.ClientDataHash().Length() != SHA256_LENGTH)) {
     AbortTransaction(aTransactionId, NS_ERROR_DOM_UNKNOWN_ERR);
     return;
   }
 
-  uint64_t tid = mLastTransactionId = aTransactionId;
+  mLastTransactionId = aTransactionId;
+
+  // If the RP request direct attestation, ask the user for permission and
+  // store the transaction info until the user proceeds or cancels.
+  // Might be overriden by a pref for testing purposes.
+  if (aTransactionInfo.RequestDirectAttestation() &&
+      !U2FPrefManager::Get()->GetAllowDirectAttestationForTesting()) {
+    NS_ConvertUTF16toUTF8 origin(aTransactionInfo.Origin());
+    SendPromptNotification(kRegisterDirectPromptNotifcation,
+                           aTransactionId,
+                           origin.get());
+
+    MOZ_ASSERT(mPendingRegisterInfo.isNothing());
+    mPendingRegisterInfo = Some(aTransactionInfo);
+  } else {
+    DoRegister(aTransactionInfo);
+  }
+}
+
+void
+U2FTokenManager::DoRegister(const WebAuthnMakeCredentialInfo& aInfo)
+{
+  mozilla::ipc::AssertIsOnBackgroundThread();
+  MOZ_ASSERT(mLastTransactionId > 0);
+
+  // Show a prompt that lets the user cancel the ongoing transaction.
+  NS_ConvertUTF16toUTF8 origin(aInfo.Origin());
+  SendPromptNotification(kRegisterPromptNotifcation,
+                         mLastTransactionId,
+                         origin.get());
+
+  uint64_t tid = mLastTransactionId;
   mozilla::TimeStamp startTime = mozilla::TimeStamp::Now();
+  bool requestDirectAttestation = aInfo.RequestDirectAttestation();
+
   mTokenManagerImpl
-    ->Register(aTransactionInfo)
+    ->Register(aInfo)
     ->Then(GetCurrentThreadSerialEventTarget(), __func__,
-          [tid, startTime](WebAuthnMakeCredentialResult&& aResult) {
+          [tid, startTime, requestDirectAttestation](WebAuthnMakeCredentialResult&& aResult) {
             U2FTokenManager* mgr = U2FTokenManager::Get();
+            // The token manager implementations set DirectAttestationPermitted
+            // to false by default. Override this here with information from
+            // the JS prompt.
+            aResult.DirectAttestationPermitted() = requestDirectAttestation;
             mgr->MaybeConfirmRegister(tid, aResult);
             Telemetry::ScalarAdd(
               Telemetry::ScalarID::SECURITY_WEBAUTHN_USED,
               NS_LITERAL_STRING("U2FRegisterFinish"), 1);
             Telemetry::AccumulateTimeDelta(
               Telemetry::WEBAUTHN_CREATE_CREDENTIAL_MS,
               startTime);
           },
@@ -309,18 +413,25 @@ U2FTokenManager::Sign(PWebAuthnTransacti
   }
 
   if ((aTransactionInfo.RpIdHash().Length() != SHA256_LENGTH) ||
       (aTransactionInfo.ClientDataHash().Length() != SHA256_LENGTH)) {
     AbortTransaction(aTransactionId, NS_ERROR_DOM_UNKNOWN_ERR);
     return;
   }
 
+  // Show a prompt that lets the user cancel the ongoing transaction.
+  NS_ConvertUTF16toUTF8 origin(aTransactionInfo.Origin());
+  SendPromptNotification(kSignPromptNotifcation,
+                         aTransactionId,
+                         origin.get());
+
   uint64_t tid = mLastTransactionId = aTransactionId;
   mozilla::TimeStamp startTime = mozilla::TimeStamp::Now();
+
   mTokenManagerImpl
     ->Sign(aTransactionInfo)
     ->Then(GetCurrentThreadSerialEventTarget(), __func__,
       [tid, startTime](WebAuthnGetAssertionResult&& aResult) {
         U2FTokenManager* mgr = U2FTokenManager::Get();
         mgr->MaybeConfirmSign(tid, aResult);
         Telemetry::ScalarAdd(
           Telemetry::ScalarID::SECURITY_WEBAUTHN_USED,
@@ -367,10 +478,87 @@ U2FTokenManager::Cancel(PWebAuthnTransac
   if (mTransactionParent != aParent || mLastTransactionId != aTransactionId) {
     return;
   }
 
   mTokenManagerImpl->Cancel();
   ClearTransaction();
 }
 
+// nsIU2FTokenManager
+
+NS_IMETHODIMP
+U2FTokenManager::ResumeRegister(uint64_t aTransactionId,
+                                bool aPermitDirectAttestation)
+{
+  MOZ_ASSERT(XRE_IsParentProcess());
+  MOZ_ASSERT(NS_IsMainThread());
+
+  if (!gBackgroundThread) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIRunnable> r(NewRunnableMethod<uint64_t, bool>(
+      "U2FTokenManager::RunResumeRegister", this,
+      &U2FTokenManager::RunResumeRegister, aTransactionId,
+      aPermitDirectAttestation));
+
+  return gBackgroundThread->Dispatch(r.forget(), NS_DISPATCH_NORMAL);
+}
+
+void
+U2FTokenManager::RunResumeRegister(uint64_t aTransactionId,
+                                   bool aPermitDirectAttestation)
+{
+  mozilla::ipc::AssertIsOnBackgroundThread();
+
+  if (NS_WARN_IF(mPendingRegisterInfo.isNothing())) {
+    return;
+  }
+
+  if (mLastTransactionId != aTransactionId) {
+    return;
+  }
+
+  // Forward whether the user opted into direct attestation.
+  mPendingRegisterInfo.ref().RequestDirectAttestation() =
+    aPermitDirectAttestation;
+
+  // Resume registration and cleanup.
+  DoRegister(mPendingRegisterInfo.ref());
+  mPendingRegisterInfo.reset();
+}
+
+NS_IMETHODIMP
+U2FTokenManager::Cancel(uint64_t aTransactionId)
+{
+  MOZ_ASSERT(XRE_IsParentProcess());
+  MOZ_ASSERT(NS_IsMainThread());
+
+  if (!gBackgroundThread) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIRunnable> r(NewRunnableMethod<uint64_t>(
+      "U2FTokenManager::RunCancel", this,
+      &U2FTokenManager::RunCancel, aTransactionId));
+
+  return gBackgroundThread->Dispatch(r.forget(), NS_DISPATCH_NORMAL);
+}
+
+void
+U2FTokenManager::RunCancel(uint64_t aTransactionId)
+{
+  mozilla::ipc::AssertIsOnBackgroundThread();
+
+  if (mLastTransactionId != aTransactionId) {
+    return;
+  }
+
+  // Cancel the request.
+  mTokenManagerImpl->Cancel();
+
+  // Reject the promise.
+  AbortTransaction(aTransactionId, NS_ERROR_DOM_ABORT_ERR);
+}
+
 }
 }
--- a/dom/webauthn/U2FTokenManager.h
+++ b/dom/webauthn/U2FTokenManager.h
@@ -2,16 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_dom_U2FTokenManager_h
 #define mozilla_dom_U2FTokenManager_h
 
+#include "nsIU2FTokenManager.h"
 #include "mozilla/dom/U2FTokenTransport.h"
 #include "mozilla/dom/PWebAuthnTransaction.h"
 
 /*
  * Parent process manager for U2F and WebAuthn API transactions. Handles process
  * transactions from all content processes, make sure only one transaction is
  * live at any time. Manages access to hardware and software based key systems.
  *
@@ -21,52 +22,67 @@
  */
 
 namespace mozilla {
 namespace dom {
 
 class U2FSoftTokenManager;
 class WebAuthnTransactionParent;
 
-class U2FTokenManager final
+class U2FTokenManager final : public nsIU2FTokenManager
 {
 public:
-  NS_INLINE_DECL_REFCOUNTING(U2FTokenManager)
+  NS_DECL_THREADSAFE_ISUPPORTS
+  NS_DECL_NSIU2FTOKENMANAGER
+
   static U2FTokenManager* Get();
   void Register(PWebAuthnTransactionParent* aTransactionParent,
                 const uint64_t& aTransactionId,
                 const WebAuthnMakeCredentialInfo& aTransactionInfo);
   void Sign(PWebAuthnTransactionParent* aTransactionParent,
             const uint64_t& aTransactionId,
             const WebAuthnGetAssertionInfo& aTransactionInfo);
   void Cancel(PWebAuthnTransactionParent* aTransactionParent,
               const uint64_t& aTransactionId);
   void MaybeClearTransaction(PWebAuthnTransactionParent* aParent);
   static void Initialize();
 private:
   U2FTokenManager();
-  ~U2FTokenManager();
+  ~U2FTokenManager() { }
   RefPtr<U2FTokenTransport> GetTokenManagerImpl();
   void AbortTransaction(const uint64_t& aTransactionId, const nsresult& aError);
   void ClearTransaction();
+  // Step two of "Register", kicking off the actual transaction.
+  void DoRegister(const WebAuthnMakeCredentialInfo& aInfo);
   void MaybeConfirmRegister(const uint64_t& aTransactionId,
                             const WebAuthnMakeCredentialResult& aResult);
   void MaybeAbortRegister(const uint64_t& aTransactionId, const nsresult& aError);
   void MaybeConfirmSign(const uint64_t& aTransactionId,
                         const WebAuthnGetAssertionResult& aResult);
   void MaybeAbortSign(const uint64_t& aTransactionId, const nsresult& aError);
+  // The main thread runnable function for "nsIU2FTokenManager.ResumeRegister".
+  void RunResumeRegister(uint64_t aTransactionId, bool aPermitDirectAttestation);
+  // The main thread runnable function for "nsIU2FTokenManager.Cancel".
+  void RunCancel(uint64_t aTransactionId);
+  // Sends a "webauthn-prompt" observer notification with the given data.
+  template<typename ...T>
+  void SendPromptNotification(const char16_t* aFormat, T... aArgs);
+  // The main thread runnable function for "SendPromptNotification".
+  void RunSendPromptNotification(nsString aJSON);
   // Using a raw pointer here, as the lifetime of the IPC object is managed by
   // the PBackground protocol code. This means we cannot be left holding an
   // invalid IPC protocol object after the transaction is finished.
   PWebAuthnTransactionParent* mTransactionParent;
   RefPtr<U2FTokenTransport> mTokenManagerImpl;
   MozPromiseRequestHolder<U2FRegisterPromise> mRegisterPromise;
   MozPromiseRequestHolder<U2FSignPromise> mSignPromise;
   // The last transaction id, non-zero if there's an active transaction. This
   // guards any cancel messages to ensure we don't cancel newer transactions
   // due to a stale message.
   uint64_t mLastTransactionId;
+  // Pending registration info while we wait for user input.
+  Maybe<WebAuthnMakeCredentialInfo> mPendingRegisterInfo;
 };
 
 } // namespace dom
 } // namespace mozilla
 
 #endif // mozilla_dom_U2FTokenManager_h
--- a/dom/webauthn/WebAuthnManager.cpp
+++ b/dom/webauthn/WebAuthnManager.cpp
@@ -403,46 +403,29 @@ WebAuthnManager::MakeCredential(const Pu
   bool requireUserVerification =
     selection.mUserVerification == UserVerificationRequirement::Required;
 
   // Does the RP desire direct attestation? Indirect attestation is not
   // implemented, and thus is equivilent to None.
   bool requestDirectAttestation =
     attestation == AttestationConveyancePreference::Direct;
 
-  // XXX Bug 1430150. Need something that allows direct attestation
-  // for tests until we implement a permission dialog we can click.
-  if (requestDirectAttestation) {
-    nsresult rv;
-    nsCOMPtr<nsIPrefService> prefService = do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
-
-    if (NS_SUCCEEDED(rv)) {
-      nsCOMPtr<nsIPrefBranch> branch;
-      rv = prefService->GetBranch("security.webauth.", getter_AddRefs(branch));
-
-      if (NS_SUCCEEDED(rv)) {
-        rv = branch->GetBoolPref("webauthn_testing_allow_direct_attestation",
-                                 &requestDirectAttestation);
-      }
-    }
-
-    requestDirectAttestation &= NS_SUCCEEDED(rv);
-  }
-
   // Create and forward authenticator selection criteria.
   WebAuthnAuthenticatorSelection authSelection(selection.mRequireResidentKey,
                                                requireUserVerification,
                                                requirePlatformAttachment);
 
-  WebAuthnMakeCredentialInfo info(rpIdHash,
+  WebAuthnMakeCredentialInfo info(origin,
+                                  rpIdHash,
                                   clientDataHash,
                                   adjustedTimeout,
                                   excludeList,
                                   extensions,
-                                  authSelection);
+                                  authSelection,
+                                  requestDirectAttestation);
 
   ListenForVisibilityEvents();
 
   AbortSignal* signal = nullptr;
   if (aSignal.WasPassed()) {
     signal = &aSignal.Value();
     Follow(signal);
   }
@@ -450,16 +433,17 @@ WebAuthnManager::MakeCredential(const Pu
   MOZ_ASSERT(mTransaction.isNothing());
   mTransaction = Some(WebAuthnTransaction(promise,
                                           rpIdHash,
                                           clientDataJSON,
                                           requestDirectAttestation,
                                           signal));
 
   mChild->SendRequestRegister(mTransaction.ref().mId, info);
+
   return promise.forget();
 }
 
 already_AddRefed<Promise>
 WebAuthnManager::GetAssertion(const PublicKeyCredentialRequestOptions& aOptions,
                               const Optional<OwningNonNull<AbortSignal>>& aSignal)
 {
   MOZ_ASSERT(NS_IsMainThread());
@@ -633,17 +617,18 @@ WebAuthnManager::GetAssertion(const Publ
       promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
       return promise.forget();
     }
 
     // Append the hash and send it to the backend.
     extensions.AppendElement(WebAuthnExtensionAppId(appIdHash));
   }
 
-  WebAuthnGetAssertionInfo info(rpIdHash,
+  WebAuthnGetAssertionInfo info(origin,
+                                rpIdHash,
                                 clientDataHash,
                                 adjustedTimeout,
                                 allowList,
                                 requireUserVerification,
                                 extensions);
 
   ListenForVisibilityEvents();
 
@@ -780,20 +765,20 @@ WebAuthnManager::FinishMakeCredential(co
   mozilla::dom::CryptoBuffer authDataBuf;
   rv = AssembleAuthenticatorData(rpIdHashBuf, FLAG_TUP, counterBuf, attDataBuf,
                                  authDataBuf);
   if (NS_FAILED(rv)) {
     RejectTransaction(rv);
     return;
   }
 
-  // Direct attestation might have been requested by the RP. mDirectAttestation
-  // will be true only if the user consented via the permission UI.
+  // Direct attestation might have been requested by the RP. This will
+  // be true only if the user consented via the permission UI.
   CryptoBuffer attObj;
-  if (mTransaction.ref().mDirectAttestation) {
+  if (aResult.DirectAttestationPermitted()) {
     rv = CBOREncodeFidoU2FAttestationObj(authDataBuf, attestationCertBuf,
                                          signatureBuf, attObj);
   } else {
     rv = CBOREncodeNoneAttestationObj(authDataBuf, attObj);
   }
 
   if (NS_FAILED(rv)) {
     RejectTransaction(rv);
--- a/dom/webauthn/moz.build
+++ b/dom/webauthn/moz.build
@@ -6,16 +6,22 @@
 
 with Files("**"):
     BUG_COMPONENT = ("Core", "DOM: Device Interfaces")
 
 IPDL_SOURCES += [
     'PWebAuthnTransaction.ipdl'
 ]
 
+XPIDL_SOURCES += [
+    'nsIU2FTokenManager.idl'
+]
+
+XPIDL_MODULE = 'dom_webauthn'
+
 EXPORTS.mozilla.dom += [
     'AuthenticatorAssertionResponse.h',
     'AuthenticatorAttestationResponse.h',
     'AuthenticatorResponse.h',
     'PublicKeyCredential.h',
     'U2FHIDTokenManager.h',
     'U2FSoftTokenManager.h',
     'U2FTokenManager.h',
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/nsIU2FTokenManager.idl
@@ -0,0 +1,38 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+/**
+ * nsIU2FTokenManager
+ *
+ * An interface to the U2FTokenManager singleton.
+ *
+ * This should be used only by the WebAuthn browser UI prompts.
+ */
+
+[scriptable, uuid(745e1eac-e449-4342-bca1-ee0e6ead09fc)]
+interface nsIU2FTokenManager : nsISupports
+{
+    /**
+     * Resumes the current WebAuthn/U2F transaction if that matches the given
+     * transaction ID. This is used only when direct attestation was requested
+     * and we have to wait for user input to proceed.
+     *
+     * @param aTransactionID : The ID of the transaction to resume.
+     * @param aPermitDirectAttestation : Whether direct attestation was
+     *                                   permitted by the user.
+     */
+    void resumeRegister(in uint64_t aTransactionID,
+                        in bool aPermitDirectAttestation);
+
+    /**
+     * Cancels the current WebAuthn/U2F transaction if that matches the given
+     * transaction ID.
+     *
+     * @param aTransactionID : The ID of the transaction to cancel.
+     */
+    void cancel(in uint64_t aTransactionID);
+};
--- a/dom/webauthn/tests/browser/browser.ini
+++ b/dom/webauthn/tests/browser/browser.ini
@@ -1,13 +1,14 @@
 [DEFAULT]
 support-files =
   head.js
   tab_webauthn_result.html
   tab_webauthn_success.html
-  ../cbor/*
   ../pkijs/*
+  ../cbor.js
   ../u2futil.js
 skip-if = !e10s
 
 [browser_abort_visibility.js]
 [browser_fido_appid_extension.js]
+[browser_webauthn_prompts.js]
 [browser_webauthn_telemetry.js]
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/tests/browser/browser_webauthn_prompts.js
@@ -0,0 +1,215 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const TEST_URL = "https://example.com/";
+
+function promiseNotification(id) {
+  return new Promise(resolve => {
+    PopupNotifications.panel.addEventListener("popupshown", function shown() {
+      let notification = PopupNotifications.getNotification(id);
+      if (notification) {
+        ok(true, `${id} prompt visible`);
+        PopupNotifications.panel.removeEventListener("popupshown", shown);
+        resolve();
+      }
+    });
+  });
+}
+
+function arrivingHereIsBad(aResult) {
+  ok(false, "Bad result! Received a: " + aResult);
+}
+
+function expectAbortError(aResult) {
+  let expected = "AbortError";
+  is(aResult.slice(0, expected.length), expected, `Expecting a ${expected}`);
+}
+
+function verifyAnonymizedCertificate(attestationObject) {
+  return webAuthnDecodeCBORAttestation(attestationObject)
+    .then(({fmt, attStmt}) => {
+      is("none", fmt, "Is a None Attestation");
+      is("object", typeof(attStmt), "attStmt is a map");
+      is(0, Object.keys(attStmt).length, "attStmt is empty");
+    });
+}
+
+function verifyDirectCertificate(attestationObject) {
+  return webAuthnDecodeCBORAttestation(attestationObject)
+    .then(({fmt, attStmt}) => {
+      is("fido-u2f", fmt, "Is a FIDO U2F Attestation");
+      is("object", typeof(attStmt), "attStmt is a map");
+      ok(attStmt.hasOwnProperty("x5c"), "attStmt.x5c exists");
+      ok(attStmt.hasOwnProperty("sig"), "attStmt.sig exists");
+    });
+}
+
+function promiseWebAuthnRegister(tab, attestation = "indirect") {
+  return ContentTask.spawn(tab.linkedBrowser, [attestation],
+    ([attestation]) => {
+      const cose_alg_ECDSA_w_SHA256 = -7;
+
+      let challenge = content.crypto.getRandomValues(new Uint8Array(16));
+
+      let pubKeyCredParams = [{
+        type: "public-key",
+        alg: cose_alg_ECDSA_w_SHA256
+      }];
+
+      let publicKey = {
+        rp: {id: content.document.domain, name: "none", icon: "none"},
+        user: {id: new Uint8Array(), name: "none", icon: "none", displayName: "none"},
+        pubKeyCredParams,
+        attestation,
+        challenge
+      };
+
+      return content.navigator.credentials.create({publicKey})
+        .then(cred => cred.response.attestationObject);
+    });
+}
+
+function promiseWebAuthnSign(tab) {
+  return ContentTask.spawn(tab.linkedBrowser, [], () => {
+    let challenge = content.crypto.getRandomValues(new Uint8Array(16));
+    let key_handle = content.crypto.getRandomValues(new Uint8Array(16));
+
+    let credential = {
+      id: key_handle,
+      type: "public-key",
+      transports: ["usb"]
+    };
+
+    let publicKey = {
+      challenge,
+      rpId: content.document.domain,
+      allowCredentials: [credential],
+    };
+
+    return content.navigator.credentials.get({publicKey});
+  });
+}
+
+add_task(async function test_setup_usbtoken() {
+  await SpecialPowers.pushPrefEnv({
+    "set": [
+      ["security.webauth.u2f", false],
+      ["security.webauth.webauthn", true],
+      ["security.webauth.webauthn_enable_softtoken", false],
+      ["security.webauth.webauthn_enable_usbtoken", true]
+    ]
+  });
+});
+
+add_task(async function test_register() {
+  // Open a new tab.
+  let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, TEST_URL);
+
+  // Request a new credential and wait for the prompt.
+  let active = true;
+  let request = promiseWebAuthnRegister(tab)
+    .then(arrivingHereIsBad)
+    .catch(expectAbortError)
+    .then(() => active = false);
+  await promiseNotification("webauthn-prompt-register");
+
+  // Cancel the request.
+  ok(active, "request should still be active");
+  PopupNotifications.panel.firstChild.button.click();
+  await request;
+
+  // Close tab.
+  await BrowserTestUtils.removeTab(tab);
+});
+
+add_task(async function test_sign() {
+  // Open a new tab.
+  let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, TEST_URL);
+
+  // Request a new assertion and wait for the prompt.
+  let active = true;
+  let request = promiseWebAuthnSign(tab)
+    .then(arrivingHereIsBad)
+    .catch(expectAbortError)
+    .then(() => active = false);
+  await promiseNotification("webauthn-prompt-sign");
+
+  // Cancel the request.
+  ok(active, "request should still be active");
+  PopupNotifications.panel.firstChild.button.click();
+  await request;
+
+  // Close tab.
+  await BrowserTestUtils.removeTab(tab);
+});
+
+add_task(async function test_register_direct_cancel() {
+  // Open a new tab.
+  let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, TEST_URL);
+
+  // Request a new credential with direct attestation and wait for the prompt.
+  let active = true;
+  let promise = promiseWebAuthnRegister(tab, "direct")
+    .then(arrivingHereIsBad).catch(expectAbortError)
+    .then(() => active = false);
+  await promiseNotification("webauthn-prompt-register-direct");
+
+  // Cancel the request.
+  ok(active, "request should still be active");
+  PopupNotifications.panel.firstChild.secondaryButton.click();
+  await promise;
+
+  // Close tab.
+  await BrowserTestUtils.removeTab(tab);
+});
+
+add_task(async function test_setup_softtoken() {
+  await SpecialPowers.pushPrefEnv({
+    "set": [
+      ["security.webauth.u2f", false],
+      ["security.webauth.webauthn", true],
+      ["security.webauth.webauthn_enable_softtoken", true],
+      ["security.webauth.webauthn_enable_usbtoken", false]
+    ]
+  })
+});
+
+add_task(async function test_register_direct_proceed() {
+  // Open a new tab.
+  let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, TEST_URL);
+
+  // Request a new credential with direct attestation and wait for the prompt.
+  let request = promiseWebAuthnRegister(tab, "direct");
+  await promiseNotification("webauthn-prompt-register-direct");
+
+  // Proceed.
+  PopupNotifications.panel.firstChild.button.click();
+
+  // Ensure we got "direct" attestation.
+  await request.then(verifyDirectCertificate);
+
+  // Close tab.
+  await BrowserTestUtils.removeTab(tab);
+});
+
+add_task(async function test_register_direct_proceed_anon() {
+  // Open a new tab.
+  let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, TEST_URL);
+
+  // Request a new credential with direct attestation and wait for the prompt.
+  let request = promiseWebAuthnRegister(tab, "direct");
+  await promiseNotification("webauthn-prompt-register-direct");
+
+  // Check "anonymize anyway" and proceed.
+  PopupNotifications.panel.firstChild.checkbox.checked = true;
+  PopupNotifications.panel.firstChild.button.click();
+
+  // Ensure we got "none" attestation.
+  await request.then(verifyAnonymizedCertificate);
+
+  // Close tab.
+  await BrowserTestUtils.removeTab(tab);
+});
--- a/dom/webauthn/tests/browser/browser_webauthn_telemetry.js
+++ b/dom/webauthn/tests/browser/browser_webauthn_telemetry.js
@@ -52,29 +52,34 @@ async function executeTestPage(aUri) {
   } catch(e) {
     ok(false, "Exception thrown executing test page: " + e);
   } finally {
     // Remove all the extra windows and tabs.
     return BrowserTestUtils.removeTab(gBrowser.selectedTab);
   }
 }
 
+add_task(async function test_setup() {
+  await SpecialPowers.pushPrefEnv({
+    "set": [
+      ["security.webauth.webauthn", true],
+      ["security.webauth.webauthn_enable_softtoken", true],
+      ["security.webauth.webauthn_enable_usbtoken", false],
+      ["security.webauth.webauthn_testing_allow_direct_attestation", true]
+    ]
+  });
+});
+
 add_task(async function test_loopback() {
   // These tests can't run simultaneously as the preference changes will race.
   // So let's run them sequentially here, but in an async function so we can
   // use await.
   const testPage = "https://example.com/browser/dom/webauthn/tests/browser/tab_webauthn_success.html";
   {
     cleanupTelemetry();
-    // Enable the soft token, and execute a simple end-to-end test
-    Services.prefs.setBoolPref("security.webauth.webauthn", true);
-    Services.prefs.setBoolPref("security.webauth.webauthn_enable_softtoken", true);
-    Services.prefs.setBoolPref("security.webauth.webauthn_enable_usbtoken", false);
-    Services.prefs.setBoolPref("security.webauth.webauthn_testing_allow_direct_attestation", true);
-
     await executeTestPage(testPage);
 
     let webauthn_used = getTelemetryForScalar("security.webauthn_used");
     ok(webauthn_used, "Scalar keys are set: " + Object.keys(webauthn_used).join(", "));
     is(webauthn_used["U2FRegisterFinish"], 1, "webauthn_used U2FRegisterFinish scalar should be 1");
     is(webauthn_used["U2FSignFinish"], 1, "webauthn_used U2FSignFinish scalar should be 1");
     is(webauthn_used["U2FSignAbort"], undefined, "webauthn_used U2FSignAbort scalar must be unset");
     is(webauthn_used["U2FRegisterAbort"], undefined, "webauthn_used U2FRegisterAbort scalar must be unset");
--- a/dom/webauthn/tests/browser/head.js
+++ b/dom/webauthn/tests/browser/head.js
@@ -1,56 +1,20 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 "use strict";
 
-function bytesToBase64(u8a){
-  let CHUNK_SZ = 0x8000;
-  let c = [];
-  for (let i = 0; i < u8a.length; i += CHUNK_SZ) {
-    c.push(String.fromCharCode.apply(null, u8a.subarray(i, i + CHUNK_SZ)));
-  }
-  return window.btoa(c.join(""));
-}
-
-function bytesToBase64UrlSafe(buf) {
-  return bytesToBase64(buf)
-                 .replace(/\+/g, "-")
-                 .replace(/\//g, "_")
-                 .replace(/=/g, "");
-}
-
-function base64ToBytes(b64encoded) {
-  return new Uint8Array(window.atob(b64encoded).split("").map(function(c) {
-    return c.charCodeAt(0);
-  }));
-}
-
-function base64ToBytesUrlSafe(str) {
-  if (!str || str.length % 4 == 1) {
-    throw "Improper b64 string";
-  }
-
-  var b64 = str.replace(/\-/g, "+").replace(/\_/g, "/");
-  while (b64.length % 4 != 0) {
-    b64 += "=";
-  }
-  return base64ToBytes(b64);
-}
-
-function buffer2string(buf) {
-  let str = "";
-  if (!(buf.constructor === Uint8Array)) {
-    buf = new Uint8Array(buf);
-  }
-  buf.map(function(x){ return str += String.fromCharCode(x) });
-  return str;
-}
+Services.scriptloader.loadSubScript(
+  "chrome://mochitests/content/browser/dom/webauthn/tests/browser/cbor.js",
+  this);
+Services.scriptloader.loadSubScript(
+  "chrome://mochitests/content/browser/dom/webauthn/tests/browser/u2futil.js",
+  this);
 
 function memcmp(x, y) {
   let xb = new Uint8Array(x);
   let yb = new Uint8Array(y);
 
   if (x.byteLength != y.byteLength) {
     return false;
   }
--- a/dom/webauthn/tests/browser/tab_webauthn_success.html
+++ b/dom/webauthn/tests/browser/tab_webauthn_success.html
@@ -2,17 +2,17 @@
 <meta charset=utf-8>
 <head>
   <title>Full-run test for MakeCredential/GetAssertion for W3C Web Authentication</title>
   <script type="text/javascript" src="u2futil.js"></script>
   <script type="text/javascript" src="../pkijs/common.js"></script>
   <script type="text/javascript" src="../pkijs/asn1.js"></script>
   <script type="text/javascript" src="../pkijs/x509_schema.js"></script>
   <script type="text/javascript" src="../pkijs/x509_simpl.js"></script>
-  <script type="text/javascript" src="../cbor/cbor.js"></script>
+  <script type="text/javascript" src="cbor.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 
 <h1>Full-run test for MakeCredential/GetAssertion for W3C Web Authentication</h1>
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1265472">Mozilla Bug 1265472</a>
 
 <script class="testbody" type="text/javascript">
rename from dom/webauthn/tests/cbor/cbor.js
rename to dom/webauthn/tests/cbor.js
--- a/dom/webauthn/tests/mochitest.ini
+++ b/dom/webauthn/tests/mochitest.ini
@@ -1,13 +1,13 @@
 [DEFAULT]
 support-files =
-  cbor/*
+  cbor.js
+  u2futil.js
   pkijs/*
-  u2futil.js
 skip-if = !e10s
 scheme = https
 
 [test_webauthn_abort_signal.html]
 [test_webauthn_attestation_conveyance.html]
 [test_webauthn_authenticator_selection.html]
 [test_webauthn_authenticator_transports.html]
 [test_webauthn_loopback.html]
--- a/dom/webauthn/tests/test_webauthn_attestation_conveyance.html
+++ b/dom/webauthn/tests/test_webauthn_attestation_conveyance.html
@@ -4,17 +4,17 @@
   <title>W3C Web Authentication - Attestation Conveyance</title>
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
   <script type="text/javascript" src="u2futil.js"></script>
   <script type="text/javascript" src="pkijs/common.js"></script>
   <script type="text/javascript" src="pkijs/asn1.js"></script>
   <script type="text/javascript" src="pkijs/x509_schema.js"></script>
   <script type="text/javascript" src="pkijs/x509_simpl.js"></script>
-  <script type="text/javascript" src="cbor/cbor.js"></script>
+  <script type="text/javascript" src="cbor.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 
   <h1>W3C Web Authentication - Attestation Conveyance</h1>
   <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1428916">Mozilla Bug 1428916</a>
   <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1416056">Mozilla Bug 1416056</a>
 
--- a/dom/webauthn/tests/test_webauthn_loopback.html
+++ b/dom/webauthn/tests/test_webauthn_loopback.html
@@ -3,17 +3,17 @@
 <head>
   <title>Full-run test for MakeCredential/GetAssertion for W3C Web Authentication</title>
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <script type="text/javascript" src="u2futil.js"></script>
   <script type="text/javascript" src="pkijs/common.js"></script>
   <script type="text/javascript" src="pkijs/asn1.js"></script>
   <script type="text/javascript" src="pkijs/x509_schema.js"></script>
   <script type="text/javascript" src="pkijs/x509_simpl.js"></script>
-  <script type="text/javascript" src="cbor/cbor.js"></script>
+  <script type="text/javascript" src="cbor.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 
 <h1>Full-run test for MakeCredential/GetAssertion for W3C Web Authentication</h1>
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1309284">Mozilla Bug 1309284</a>
 
 <script class="testbody" type="text/javascript">
--- a/dom/webauthn/tests/u2futil.js
+++ b/dom/webauthn/tests/u2futil.js
@@ -197,17 +197,17 @@ function webAuthnDecodeAuthDataArray(aAu
   let attData = {};
   attData.aaguid = aAuthData.slice(37, 53);
   attData.credIdLen = (aAuthData[53] << 8) + aAuthData[54];
   attData.credId = aAuthData.slice(55, 55 + attData.credIdLen);
 
   console.log(":: Authenticator Data ::");
   console.log("AAGUID: " + hexEncode(attData.aaguid));
 
-  cborPubKey = aAuthData.slice(55 + attData.credIdLen);
+  let cborPubKey = aAuthData.slice(55 + attData.credIdLen);
   var pubkeyObj = CBOR.decode(cborPubKey.buffer);
   if (!(cose_kty in pubkeyObj && cose_alg in pubkeyObj && cose_crv in pubkeyObj
         && cose_crv_x in pubkeyObj && cose_crv_y in pubkeyObj)) {
     throw "Invalid CBOR Public Key Object";
   }
   if (pubkeyObj[cose_kty] != cose_kty_ec2) {
     throw "Unexpected key type";
   }
--- a/gfx/thebes/gfxContext.cpp
+++ b/gfx/thebes/gfxContext.cpp
@@ -456,63 +456,61 @@ gfxContext::SetAntialiasMode(AntialiasMo
 
 AntialiasMode
 gfxContext::CurrentAntialiasMode() const
 {
   return CurrentState().aaMode;
 }
 
 void
-gfxContext::SetDash(gfxFloat *dashes, int ndash, gfxFloat offset)
+gfxContext::SetDash(const Float *dashes, int ndash, Float offset)
 {
   CURRENTSTATE_CHANGED()
   AzureState &state = CurrentState();
 
   state.dashPattern.SetLength(ndash);
   for (int i = 0; i < ndash; i++) {
-    state.dashPattern[i] = Float(dashes[i]);
+    state.dashPattern[i] = dashes[i];
   }
   state.strokeOptions.mDashLength = ndash;
-  state.strokeOptions.mDashOffset = Float(offset);
+  state.strokeOptions.mDashOffset = offset;
   state.strokeOptions.mDashPattern = ndash ? state.dashPattern.Elements()
                                            : nullptr;
 }
 
 bool
-gfxContext::CurrentDash(FallibleTArray<gfxFloat>& dashes, gfxFloat* offset) const
+gfxContext::CurrentDash(FallibleTArray<Float>& dashes, Float* offset) const
 {
   const AzureState &state = CurrentState();
   int count = state.strokeOptions.mDashLength;
 
   if (count <= 0 || !dashes.SetLength(count, fallible)) {
     return false;
   }
 
-  for (int i = 0; i < count; i++) {
-    dashes[i] = state.dashPattern[i];
-  }
+  dashes = state.dashPattern;
 
   *offset = state.strokeOptions.mDashOffset;
 
   return true;
 }
 
-gfxFloat
+Float
 gfxContext::CurrentDashOffset() const
 {
   return CurrentState().strokeOptions.mDashOffset;
 }
 
 void
-gfxContext::SetLineWidth(gfxFloat width)
+gfxContext::SetLineWidth(Float width)
 {
-  CurrentState().strokeOptions.mLineWidth = Float(width);
+  CurrentState().strokeOptions.mLineWidth = width;
 }
 
-gfxFloat
+Float
 gfxContext::CurrentLineWidth() const
 {
   return CurrentState().strokeOptions.mLineWidth;
 }
 
 void
 gfxContext::SetOp(CompositionOp aOp)
 {
@@ -548,23 +546,23 @@ gfxContext::SetLineJoin(JoinStyle join)
 
 JoinStyle
 gfxContext::CurrentLineJoin() const
 {
   return CurrentState().strokeOptions.mLineJoin;
 }
 
 void
-gfxContext::SetMiterLimit(gfxFloat limit)
+gfxContext::SetMiterLimit(Float limit)
 {
   CURRENTSTATE_CHANGED()
-  CurrentState().strokeOptions.mMiterLimit = Float(limit);
+  CurrentState().strokeOptions.mMiterLimit = limit;
 }
 
-gfxFloat
+Float
 gfxContext::CurrentMiterLimit() const
 {
   return CurrentState().strokeOptions.mMiterLimit;
 }
 
 // clipping
 void
 gfxContext::Clip(const Rect& rect)
@@ -755,26 +753,26 @@ gfxContext::Mask(SourceSurface *surface,
   // We clip here to bind to the mask surface bounds, see above.
   mDT->MaskSurface(PatternFromState(this),
             surface,
             offset,
             DrawOptions(alpha, CurrentState().op, CurrentState().aaMode));
 }
 
 void
-gfxContext::Paint(gfxFloat alpha)
+gfxContext::Paint(Float alpha)
 {
   AUTO_PROFILER_LABEL("gfxContext::Paint", GRAPHICS);
 
   Matrix mat = mDT->GetTransform();
   mat.Invert();
   Rect paintRect = mat.TransformBounds(Rect(Point(0, 0), Size(mDT->GetSize())));
 
   mDT->FillRect(paintRect, PatternFromState(this),
-                DrawOptions(Float(alpha), GetOp()));
+                DrawOptions(alpha, GetOp()));
 }
 
 void
 gfxContext::PushGroupForBlendBack(gfxContentType content, Float aOpacity, SourceSurface* aMask, const Matrix& aMaskTransform)
 {
   mDT->PushLayer(content == gfxContentType::COLOR, aOpacity, aMask, aMaskTransform);
 }
 
--- a/gfx/thebes/gfxContext.h
+++ b/gfx/thebes/gfxContext.h
@@ -45,16 +45,17 @@ class ClipExporter;
  * Note that the gfxContext takes coordinates in device pixels,
  * as opposed to app units.
  */
 class gfxContext final {
     typedef mozilla::gfx::CapStyle CapStyle;
     typedef mozilla::gfx::CompositionOp CompositionOp;
     typedef mozilla::gfx::JoinStyle JoinStyle;
     typedef mozilla::gfx::FillRule FillRule;
+    typedef mozilla::gfx::Float Float;
     typedef mozilla::gfx::Path Path;
     typedef mozilla::gfx::Pattern Pattern;
     typedef mozilla::gfx::Rect Rect;
     typedef mozilla::gfx::RectCornerRadii RectCornerRadii;
     typedef mozilla::gfx::Size Size;
 
     NS_INLINE_DECL_REFCOUNTING(gfxContext)
 
@@ -281,68 +282,68 @@ public:
 
     /**
      ** Painting
      **/
     /**
      * Paints the current source surface/pattern everywhere in the current
      * clip region.
      */
-    void Paint(gfxFloat alpha = 1.0);
+    void Paint(Float alpha = 1.0);
 
     /**
      ** Painting with a Mask
      **/
     /**
      * Like Paint, except that it only draws the source where pattern is
      * non-transparent.
      */
     void Mask(mozilla::gfx::SourceSurface *aSurface, mozilla::gfx::Float aAlpha, const mozilla::gfx::Matrix& aTransform);
     void Mask(mozilla::gfx::SourceSurface *aSurface, const mozilla::gfx::Matrix& aTransform) { Mask(aSurface, 1.0f, aTransform); }
     void Mask(mozilla::gfx::SourceSurface *surface, float alpha = 1.0f, const mozilla::gfx::Point& offset = mozilla::gfx::Point());
 
     /**
      ** Line Properties
      **/
 
-    void SetDash(gfxFloat *dashes, int ndash, gfxFloat offset);
+    void SetDash(const Float *dashes, int ndash, Float offset);
     // Return true if dashing is set, false if it's not enabled or the
     // context is in an error state.  |offset| can be nullptr to mean
     // "don't care".
-    bool CurrentDash(FallibleTArray<gfxFloat>& dashes, gfxFloat* offset) const;
+    bool CurrentDash(FallibleTArray<Float>& dashes, Float* offset) const;
     // Returns 0.0 if dashing isn't enabled.
-    gfxFloat CurrentDashOffset() const;
+    Float CurrentDashOffset() const;
 
     /**
      * Sets the line width that's used for line drawing.
      */
-    void SetLineWidth(gfxFloat width);
+    void SetLineWidth(Float width);
 
     /**
      * Returns the currently set line width.
      *
      * @see SetLineWidth
      */
-    gfxFloat CurrentLineWidth() const;
+    Float CurrentLineWidth() const;
 
     /**
      * Sets the line caps, i.e. how line endings are drawn.
      */
     void SetLineCap(CapStyle cap);
     CapStyle CurrentLineCap() const;
 
     /**
      * Sets the line join, i.e. how the connection between two lines is
      * drawn.
      */
     void SetLineJoin(JoinStyle join);
     JoinStyle CurrentLineJoin() const;
 
-    void SetMiterLimit(gfxFloat limit);
-    gfxFloat CurrentMiterLimit() const;
+    void SetMiterLimit(Float limit);
+    Float CurrentMiterLimit() const;
 
     /**
      * Sets the operator used for all further drawing. The operator affects
      * how drawing something will modify the destination. For example, the
      * OVER operator will do alpha blending of source and destination, while
      * SOURCE will replace the destination with the source.
      */
     void SetOp(CompositionOp op);
@@ -456,17 +457,16 @@ private:
 
   friend class PatternFromState;
   friend class GlyphBufferAzure;
 
   typedef mozilla::gfx::Matrix Matrix;
   typedef mozilla::gfx::DrawTarget DrawTarget;
   typedef mozilla::gfx::Color Color;
   typedef mozilla::gfx::StrokeOptions StrokeOptions;
-  typedef mozilla::gfx::Float Float;
   typedef mozilla::gfx::PathBuilder PathBuilder;
   typedef mozilla::gfx::SourceSurface SourceSurface;
 
   struct AzureState {
     AzureState()
       : op(mozilla::gfx::CompositionOp::OP_OVER)
       , color(0, 0, 0, 1.0f)
       , aaMode(mozilla::gfx::AntialiasMode::SUBPIXEL)
--- a/js/src/jit/AliasAnalysisShared.cpp
+++ b/js/src/jit/AliasAnalysisShared.cpp
@@ -105,17 +105,16 @@ GetObject(const MDefinition* ins)
       case MDefinition::Opcode::LoadFixedSlotAndUnbox:
       case MDefinition::Opcode::StoreFixedSlot:
       case MDefinition::Opcode::GetPropertyPolymorphic:
       case MDefinition::Opcode::SetPropertyPolymorphic:
       case MDefinition::Opcode::GuardShape:
       case MDefinition::Opcode::GuardReceiverPolymorphic:
       case MDefinition::Opcode::GuardObjectGroup:
       case MDefinition::Opcode::GuardObjectIdentity:
-      case MDefinition::Opcode::GuardClass:
       case MDefinition::Opcode::GuardUnboxedExpando:
       case MDefinition::Opcode::LoadUnboxedExpando:
       case MDefinition::Opcode::LoadSlot:
       case MDefinition::Opcode::StoreSlot:
       case MDefinition::Opcode::InArray:
       case MDefinition::Opcode::LoadElementHole:
       case MDefinition::Opcode::TypedArrayElements:
       case MDefinition::Opcode::TypedObjectElements:
--- a/js/src/jit/BaselineCacheIRCompiler.cpp
+++ b/js/src/jit/BaselineCacheIRCompiler.cpp
@@ -205,42 +205,70 @@ BaselineCacheIRCompiler::compile()
     }
 
     return newStubCode;
 }
 
 bool
 BaselineCacheIRCompiler::emitGuardShape()
 {
-    Register obj = allocator.useRegister(masm, reader.objOperandId());
-    AutoScratchRegister scratch(allocator, masm);
+    ObjOperandId objId = reader.objOperandId();
+    Register obj = allocator.useRegister(masm, objId);
+    AutoScratchRegister scratch1(allocator, masm);
+
+    bool needSpectreMitigations = objectGuardNeedsSpectreMitigations(objId);
+
+    Maybe<AutoScratchRegister> maybeScratch2;
+    if (needSpectreMitigations)
+        maybeScratch2.emplace(allocator, masm);
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     Address addr(stubAddress(reader.stubOffset()));
-    masm.loadPtr(addr, scratch);
-    masm.branchTestObjShape(Assembler::NotEqual, obj, scratch, failure->label());
+    masm.loadPtr(addr, scratch1);
+    if (needSpectreMitigations) {
+        masm.branchTestObjShape(Assembler::NotEqual, obj, scratch1, *maybeScratch2, obj,
+                                failure->label());
+    } else {
+        masm.branchTestObjShapeNoSpectreMitigations(Assembler::NotEqual, obj, scratch1,
+                                                    failure->label());
+    }
+
     return true;
 }
 
 bool
 BaselineCacheIRCompiler::emitGuardGroup()
 {
-    Register obj = allocator.useRegister(masm, reader.objOperandId());
-    AutoScratchRegister scratch(allocator, masm);
+    ObjOperandId objId = reader.objOperandId();
+    Register obj = allocator.useRegister(masm, objId);
+    AutoScratchRegister scratch1(allocator, masm);
+
+    bool needSpectreMitigations = objectGuardNeedsSpectreMitigations(objId);
+
+    Maybe<AutoScratchRegister> maybeScratch2;
+    if (needSpectreMitigations)
+        maybeScratch2.emplace(allocator, masm);
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     Address addr(stubAddress(reader.stubOffset()));
-    masm.loadPtr(addr, scratch);
-    masm.branchTestObjGroup(Assembler::NotEqual, obj, scratch, failure->label());
+    masm.loadPtr(addr, scratch1);
+    if (needSpectreMitigations) {
+        masm.branchTestObjGroup(Assembler::NotEqual, obj, scratch1, *maybeScratch2, obj,
+                                failure->label());
+    } else {
+        masm.branchTestObjGroupNoSpectreMitigations(Assembler::NotEqual, obj, scratch1,
+                                                    failure->label());
+    }
+
     return true;
 }
 
 bool
 BaselineCacheIRCompiler::emitGuardGroupHasUnanalyzedNewScript()
 {
     Address addr(stubAddress(reader.stubOffset()));
     AutoScratchRegister scratch1(allocator, masm);
@@ -285,25 +313,33 @@ BaselineCacheIRCompiler::emitGuardCompar
     Address addr(stubAddress(reader.stubOffset()));
     masm.branchTestObjCompartment(Assembler::NotEqual, obj, addr, scratch, failure->label());
     return true;
 }
 
 bool
 BaselineCacheIRCompiler::emitGuardAnyClass()
 {
-    Register obj = allocator.useRegister(masm, reader.objOperandId());
+    ObjOperandId objId = reader.objOperandId();
+    Register obj = allocator.useRegister(masm, objId);
     AutoScratchRegister scratch(allocator, masm);
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     Address testAddr(stubAddress(reader.stubOffset()));
-    masm.branchTestObjClass(Assembler::NotEqual, obj, scratch, testAddr, failure->label());
+    if (objectGuardNeedsSpectreMitigations(objId)) {
+        masm.branchTestObjClass(Assembler::NotEqual, obj, testAddr, scratch, obj,
+                                failure->label());
+    } else {
+        masm.branchTestObjClassNoSpectreMitigations(Assembler::NotEqual, obj, testAddr, scratch,
+                                                    failure->label());
+    }
+
     return true;
 }
 
 bool
 BaselineCacheIRCompiler::emitGuardHasProxyHandler()
 {
     Register obj = allocator.useRegister(masm, reader.objOperandId());
     AutoScratchRegister scratch(allocator, masm);
@@ -398,19 +434,21 @@ BaselineCacheIRCompiler::emitGuardSpecif
 bool
 BaselineCacheIRCompiler::emitGuardXrayExpandoShapeAndDefaultProto()
 {
     Register obj = allocator.useRegister(masm, reader.objOperandId());
     bool hasExpando = reader.readBool();
     Address shapeWrapperAddress(stubAddress(reader.stubOffset()));
 
     AutoScratchRegister scratch(allocator, masm);
-    Maybe<AutoScratchRegister> scratch2;
-    if (hasExpando)
+    Maybe<AutoScratchRegister> scratch2, scratch3;
+    if (hasExpando) {
         scratch2.emplace(allocator, masm);
+        scratch3.emplace(allocator, masm);
+    }
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()), scratch);
     Address holderAddress(scratch, sizeof(Value) * GetXrayJitInfo()->xrayHolderSlot);
     Address expandoAddress(scratch, NativeObject::getFixedSlotOffset(GetXrayJitInfo()->holderExpandoSlot));
@@ -422,17 +460,18 @@ BaselineCacheIRCompiler::emitGuardXrayEx
         masm.unboxObject(expandoAddress, scratch);
 
         // Unwrap the expando before checking its shape.
         masm.loadPtr(Address(scratch, ProxyObject::offsetOfReservedSlots()), scratch);
         masm.unboxObject(Address(scratch, detail::ProxyReservedSlots::offsetOfPrivateSlot()), scratch);
 
         masm.loadPtr(shapeWrapperAddress, scratch2.ref());
         LoadShapeWrapperContents(masm, scratch2.ref(), scratch2.ref(), failure->label());
-        masm.branchTestObjShape(Assembler::NotEqual, scratch, scratch2.ref(), failure->label());
+        masm.branchTestObjShape(Assembler::NotEqual, scratch, *scratch2, *scratch3, scratch,
+                                failure->label());
 
         // The reserved slots on the expando should all be in fixed slots.
         Address protoAddress(scratch, NativeObject::getFixedSlotOffset(GetXrayJitInfo()->expandoProtoSlot));
         masm.branchTestUndefined(Assembler::NotEqual, protoAddress, failure->label());
     } else {
         Label done;
         masm.branchTestObject(Assembler::NotEqual, holderAddress, &done);
         masm.unboxObject(holderAddress, scratch);
@@ -2025,17 +2064,20 @@ BaselineCacheIRCompiler::emitGuardDOMExp
         return false;
 
     Label done;
     masm.branchTestUndefined(Assembler::Equal, val, &done);
 
     masm.debugAssertIsObject(val);
     masm.loadPtr(shapeAddr, shapeScratch);
     masm.unboxObject(val, objScratch);
-    masm.branchTestObjShape(Assembler::NotEqual, objScratch, shapeScratch, failure->label());
+    // The expando object is not used in this case, so we don't need Spectre
+    // mitigations.
+    masm.branchTestObjShapeNoSpectreMitigations(Assembler::NotEqual, objScratch, shapeScratch,
+                                                failure->label());
 
     masm.bind(&done);
     return true;
 }
 
 bool
 BaselineCacheIRCompiler::emitLoadDOMExpandoValueGuardGeneration()
 {
--- a/js/src/jit/BaselineCompiler.cpp
+++ b/js/src/jit/BaselineCompiler.cpp
@@ -4375,17 +4375,18 @@ BaselineCompiler::emit_JSOP_SUPERFUN()
     masm.loadObjProto(callee, proto);
 
     // Use VMCall for missing or lazy proto
     Label needVMCall;
     MOZ_ASSERT(uintptr_t(TaggedProto::LazyProto) == 1);
     masm.branchPtr(Assembler::BelowOrEqual, proto, ImmWord(1), &needVMCall);
 
     // Use VMCall for non-JSFunction objects (eg. Proxy)
-    masm.branchTestObjClass(Assembler::NotEqual, proto, scratch, &JSFunction::class_, &needVMCall);
+    masm.branchTestObjClass(Assembler::NotEqual, proto, &JSFunction::class_, scratch, proto,
+                            &needVMCall);
 
     // Use VMCall if not constructor
     masm.load16ZeroExtend(Address(proto, JSFunction::offsetOfFlags()), scratch);
     masm.branchTest32(Assembler::Zero, scratch, Imm32(JSFunction::CONSTRUCTOR), &needVMCall);
 
     // Valid constructor
     Label hasSuperFun;
     masm.jump(&hasSuperFun);
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -421,20 +421,21 @@ bool
 ICTypeUpdate_ObjectGroup::Compiler::generateStubCode(MacroAssembler& masm)
 {
     MOZ_ASSERT(engine_ == Engine::Baseline);
 
     Label failure;
     masm.branchTestObject(Assembler::NotEqual, R0, &failure);
 
     // Guard on the object's ObjectGroup.
-    Register scratch = R1.scratchReg();
-    Register obj = masm.extractObject(R0, scratch);
     Address expectedGroup(ICStubReg, ICTypeUpdate_ObjectGroup::offsetOfGroup());
-    masm.branchTestObjGroup(Assembler::NotEqual, obj, expectedGroup, scratch, &failure);
+    Register scratch1 = R1.scratchReg();
+    masm.unboxObject(R0, scratch1);
+    masm.branchTestObjGroup(Assembler::NotEqual, scratch1, expectedGroup, scratch1,
+                            R0.payloadOrValueReg(), &failure);
 
     // Group matches, load true into R1.scratchReg() and return.
     masm.mov(ImmWord(1), R1.scratchReg());
     EmitReturnFromIC(masm);
 
     masm.bind(&failure);
     EmitStubGuardFailure(masm);
     return true;
@@ -2626,18 +2627,18 @@ ICCallStubCompiler::guardFunApply(MacroA
         masm.loadValue(secondArgSlot, secondArgVal);
 
         masm.branchTestObject(Assembler::NotEqual, secondArgVal, failure);
         Register secondArgObj = masm.extractObject(secondArgVal, ExtractTemp1);
 
         regsx.add(secondArgVal);
         regsx.takeUnchecked(secondArgObj);
 
-        masm.branchTestObjClass(Assembler::NotEqual, secondArgObj, regsx.getAny(),
-                                &ArrayObject::class_, failure);
+        masm.branchTestObjClass(Assembler::NotEqual, secondArgObj, &ArrayObject::class_,
+                                regsx.getAny(), secondArgObj, failure);
 
         // Get the array elements and ensure that initializedLength == length
         masm.loadPtr(Address(secondArgObj, NativeObject::offsetOfElements()), secondArgObj);
 
         Register lenReg = regsx.takeAny();
         masm.load32(Address(secondArgObj, ObjectElements::offsetOfLength()), lenReg);
 
         masm.branch32(Assembler::NotEqual,
@@ -2674,34 +2675,34 @@ ICCallStubCompiler::guardFunApply(MacroA
     // Load the callee, ensure that it's fun_apply
     ValueOperand val = regs.takeAnyValue();
     Address calleeSlot(masm.getStackPointer(), ICStackValueOffset + (3 * sizeof(Value)));
     masm.loadValue(calleeSlot, val);
 
     masm.branchTestObject(Assembler::NotEqual, val, failure);
     Register callee = masm.extractObject(val, ExtractTemp1);
 
-    masm.branchTestObjClass(Assembler::NotEqual, callee, regs.getAny(), &JSFunction::class_,
-                            failure);
+    masm.branchTestObjClass(Assembler::NotEqual, callee, &JSFunction::class_, regs.getAny(),
+                            callee, failure);
     masm.loadPtr(Address(callee, JSFunction::offsetOfNativeOrEnv()), callee);
 
     masm.branchPtr(Assembler::NotEqual, callee, ImmPtr(fun_apply), failure);
 
     // Load the |thisv|, ensure that it's a scripted function with a valid baseline or ion
     // script, or a native function.
     Address thisSlot(masm.getStackPointer(), ICStackValueOffset + (2 * sizeof(Value)));
     masm.loadValue(thisSlot, val);
 
     masm.branchTestObject(Assembler::NotEqual, val, failure);
     Register target = masm.extractObject(val, ExtractTemp1);
     regs.add(val);
     regs.takeUnchecked(target);
 
-    masm.branchTestObjClass(Assembler::NotEqual, target, regs.getAny(), &JSFunction::class_,
-                            failure);
+    masm.branchTestObjClass(Assembler::NotEqual, target, &JSFunction::class_, regs.getAny(),
+                            target, failure);
 
     Register temp = regs.takeAny();
     masm.branchIfFunctionHasNoJitEntry(target, /* constructing */ false, failure);
     masm.branchFunctionKind(Assembler::Equal, JSFunction::ClassConstructor, callee, temp, failure);
     regs.add(temp);
     return target;
 }
 
@@ -2938,18 +2939,18 @@ ICCallScriptedCompiler::generateStubCode
         // Check if the object matches this callee.
         Address expectedCallee(ICStubReg, ICCall_Scripted::offsetOfCallee());
         masm.branchPtr(Assembler::NotEqual, expectedCallee, callee, &failure);
 
         // Guard against relazification.
         masm.branchIfFunctionHasNoJitEntry(callee, isConstructing_, &failure);
     } else {
         // Ensure the object is a function.
-        masm.branchTestObjClass(Assembler::NotEqual, callee, regs.getAny(), &JSFunction::class_,
-                                &failure);
+        masm.branchTestObjClass(Assembler::NotEqual, callee, &JSFunction::class_, regs.getAny(),
+                                callee, &failure);
         if (isConstructing_) {
             masm.branchIfNotInterpretedConstructor(callee, regs.getAny(), &failure);
         } else {
             masm.branchIfFunctionHasNoJitEntry(callee, /* constructing */ false, &failure);
             masm.branchFunctionKind(Assembler::Equal, JSFunction::ClassConstructor, callee,
                                     regs.getAny(), &failure);
         }
     }
@@ -3183,18 +3184,18 @@ ICCall_ConstStringSplit::Compiler::gener
         ValueOperand calleeVal = regs.takeAnyValue();
 
         // Ensure that callee is an object.
         masm.loadValue(calleeAddr, calleeVal);
         masm.branchTestObject(Assembler::NotEqual, calleeVal, &failureRestoreArgc);
 
         // Ensure that callee is a function.
         Register calleeObj = masm.extractObject(calleeVal, ExtractTemp0);
-        masm.branchTestObjClass(Assembler::NotEqual, calleeObj, scratchReg,
-                                &JSFunction::class_, &failureRestoreArgc);
+        masm.branchTestObjClass(Assembler::NotEqual, calleeObj, &JSFunction::class_, scratchReg,
+                                calleeObj, &failureRestoreArgc);
 
         // Ensure that callee's function impl is the native intrinsic_StringSplitString.
         masm.loadPtr(Address(calleeObj, JSFunction::offsetOfNativeOrEnv()), scratchReg);
         masm.branchPtr(Assembler::NotEqual, scratchReg, ImmPtr(js::intrinsic_StringSplitString),
                        &failureRestoreArgc);
 
         regs.add(calleeVal);
     }
@@ -3273,18 +3274,18 @@ ICCall_IsSuspendedGenerator::Compiler::g
     // Check if it's an object.
     Label returnFalse;
     Register genObj = regs.takeAny();
     masm.branchTestObject(Assembler::NotEqual, argVal, &returnFalse);
     masm.unboxObject(argVal, genObj);
 
     // Check if it's a GeneratorObject.
     Register scratch = regs.takeAny();
-    masm.branchTestObjClass(Assembler::NotEqual, genObj, scratch, &GeneratorObject::class_,
-                            &returnFalse);
+    masm.branchTestObjClass(Assembler::NotEqual, genObj, &GeneratorObject::class_, scratch,
+                            genObj, &returnFalse);
 
     // If the yield index slot holds an int32 value < YIELD_AND_AWAIT_INDEX_CLOSING,
     // the generator is suspended.
     masm.loadValue(Address(genObj, GeneratorObject::offsetOfYieldAndAwaitIndexSlot()), argVal);
     masm.branchTestInt32(Assembler::NotEqual, argVal, &returnFalse);
     masm.unboxInt32(argVal, scratch);
     masm.branch32(Assembler::AboveOrEqual, scratch,
                   Imm32(GeneratorObject::YIELD_AND_AWAIT_INDEX_CLOSING),
@@ -3422,21 +3423,25 @@ ICCall_ClassHook::Compiler::generateStub
     unsigned nonArgSlots = (1 + isConstructing_) * sizeof(Value);
     BaseValueIndex calleeSlot(masm.getStackPointer(), argcReg, ICStackValueOffset + nonArgSlots);
     masm.loadValue(calleeSlot, R1);
     regs.take(R1);
 
     masm.branchTestObject(Assembler::NotEqual, R1, &failure);
 
     // Ensure the callee's class matches the one in this stub.
+    // We use |Address(ICStubReg, ICCall_ClassHook::offsetOfNative())| below
+    // instead of extracting the hook from callee. As a result the callee
+    // register is no longer used and we must use spectreRegToZero := ICStubReg
+    // instead.
     Register callee = masm.extractObject(R1, ExtractTemp0);
     Register scratch = regs.takeAny();
-    masm.branchTestObjClass(Assembler::NotEqual, callee, scratch,
+    masm.branchTestObjClass(Assembler::NotEqual, callee,
                             Address(ICStubReg, ICCall_ClassHook::offsetOfClass()),
-                            &failure);
+                            scratch, ICStubReg, &failure);
     regs.add(R1);
     regs.takeUnchecked(callee);
 
     // Push a stub frame so that we can perform a non-tail call.
     // Note that this leaves the return address in TailCallReg.
     enterStubFrame(masm, regs.getAny());
 
     regs.add(scratch);
@@ -3689,30 +3694,30 @@ ICCall_ScriptedFunCall::Compiler::genera
     BaseValueIndex calleeSlot(masm.getStackPointer(), argcReg, ICStackValueOffset + sizeof(Value));
     masm.loadValue(calleeSlot, R1);
     regs.take(R1);
 
     // Ensure callee is fun_call.
     masm.branchTestObject(Assembler::NotEqual, R1, &failure);
 
     Register callee = masm.extractObject(R1, ExtractTemp0);
-    masm.branchTestObjClass(Assembler::NotEqual, callee, regs.getAny(), &JSFunction::class_,
-                            &failure);
+    masm.branchTestObjClass(Assembler::NotEqual, callee, &JSFunction::class_, regs.getAny(),
+                            callee, &failure);
     masm.loadPtr(Address(callee, JSFunction::offsetOfNativeOrEnv()), callee);
     masm.branchPtr(Assembler::NotEqual, callee, ImmPtr(fun_call), &failure);
 
     // Ensure |this| is a function with a jit entry.
     BaseIndex thisSlot(masm.getStackPointer(), argcReg, TimesEight, ICStackValueOffset);
     masm.loadValue(thisSlot, R1);
 
     masm.branchTestObject(Assembler::NotEqual, R1, &failure);
     callee = masm.extractObject(R1, ExtractTemp0);
 
-    masm.branchTestObjClass(Assembler::NotEqual, callee, regs.getAny(), &JSFunction::class_,
-                            &failure);
+    masm.branchTestObjClass(Assembler::NotEqual, callee, &JSFunction::class_, regs.getAny(),
+                            callee, &failure);
     masm.branchIfFunctionHasNoJitEntry(callee, /* constructing */ false, &failure);
     masm.branchFunctionKind(Assembler::Equal, JSFunction::ClassConstructor,
                             callee, regs.getAny(), &failure);
 
     // Load the start of the target JitCode.
     Register code = regs.takeAny();
     masm.loadJitCodeRaw(callee, code);
 
@@ -4037,18 +4042,18 @@ ICIteratorMore_Native::Compiler::generat
     Label failure;
 
     Register obj = masm.extractObject(R0, ExtractTemp0);
 
     AllocatableGeneralRegisterSet regs(availableGeneralRegs(1));
     Register nativeIterator = regs.takeAny();
     Register scratch = regs.takeAny();
 
-    masm.branchTestObjClass(Assembler::NotEqual, obj, scratch,
-                            &PropertyIteratorObject::class_, &failure);
+    masm.branchTestObjClass(Assembler::NotEqual, obj, &PropertyIteratorObject::class_, scratch,
+                            obj, &failure);
     masm.loadObjPrivate(obj, JSObject::ITER_CLASS_NFIXED_SLOTS, nativeIterator);
 
     // If props_cursor < props_end, load the next string and advance the cursor.
     // Else, return MagicValue(JS_NO_ITER_VALUE).
     Label iterDone;
     Address cursorAddr(nativeIterator, offsetof(NativeIterator, props_cursor));
     Address cursorEndAddr(nativeIterator, offsetof(NativeIterator, props_end));
     masm.loadPtr(cursorAddr, scratch);
--- a/js/src/jit/CacheIRCompiler.cpp
+++ b/js/src/jit/CacheIRCompiler.cpp
@@ -1405,17 +1405,18 @@ CacheIRCompiler::emitGuardType()
     }
 
     return true;
 }
 
 bool
 CacheIRCompiler::emitGuardClass()
 {
-    Register obj = allocator.useRegister(masm, reader.objOperandId());
+    ObjOperandId objId = reader.objOperandId();
+    Register obj = allocator.useRegister(masm, objId);
     AutoScratchRegister scratch(allocator, masm);
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     const Class* clasp = nullptr;
     switch (reader.guardClassKind()) {
@@ -1430,36 +1431,42 @@ CacheIRCompiler::emitGuardClass()
         break;
       case GuardClassKind::WindowProxy:
         clasp = cx_->runtime()->maybeWindowProxyClass();
         break;
       case GuardClassKind::JSFunction:
         clasp = &JSFunction::class_;
         break;
     }
-
     MOZ_ASSERT(clasp);
-    masm.branchTestObjClass(Assembler::NotEqual, obj, scratch, clasp, failure->label());
+
+    if (objectGuardNeedsSpectreMitigations(objId)) {
+        masm.branchTestObjClass(Assembler::NotEqual, obj, clasp, scratch, obj, failure->label());
+    } else {
+        masm.branchTestObjClassNoSpectreMitigations(Assembler::NotEqual, obj, clasp, scratch,
+                                                    failure->label());
+    }
+
     return true;
 }
 
 bool
 CacheIRCompiler::emitGuardIsNativeFunction()
 {
     Register obj = allocator.useRegister(masm, reader.objOperandId());
     JSNative nativeFunc = reinterpret_cast<JSNative>(reader.pointer());
     AutoScratchRegister scratch(allocator, masm);
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     // Ensure obj is a function.
     const Class* clasp = &JSFunction::class_;
-    masm.branchTestObjClass(Assembler::NotEqual, obj, scratch, clasp, failure->label());
+    masm.branchTestObjClass(Assembler::NotEqual, obj, clasp, scratch, obj, failure->label());
 
     // Ensure function native matches.
     masm.branchPtr(Assembler::NotEqual, Address(obj, JSFunction::offsetOfNativeOrEnv()),
                    ImmPtr(nativeFunc), failure->label());
     return true;
 }
 
 bool
--- a/js/src/jit/CacheIRCompiler.h
+++ b/js/src/jit/CacheIRCompiler.h
@@ -374,16 +374,20 @@ class MOZ_RAII CacheRegisterAllocator
         return spilledRegs_.appendAll(regs);
     }
 
     void nextOp() {
         currentOpRegs_.clear();
         currentInstruction_++;
     }
 
+    bool isDeadAfterInstruction(OperandId opId) const {
+        return writer_.operandIsDead(opId.id(), currentInstruction_ + 1);
+    }
+
     uint32_t stackPushed() const {
         return stackPushed_;
     }
     void setStackPushed(uint32_t pushed) {
         stackPushed_ = pushed;
     }
 
     bool isAllocatable(Register reg) const {
@@ -565,16 +569,24 @@ class MOZ_RAII CacheIRCompiler
     MOZ_MUST_USE bool emitFailurePath(size_t i);
 
     // Returns the set of volatile float registers that are live. These
     // registers need to be saved when making non-GC calls with callWithABI.
     FloatRegisterSet liveVolatileFloatRegs() const {
         return FloatRegisterSet::Intersect(liveFloatRegs_.set(), FloatRegisterSet::Volatile());
     }
 
+    bool objectGuardNeedsSpectreMitigations(ObjOperandId objId) const {
+        // Instructions like GuardShape need Spectre mitigations if
+        // (1) mitigations are enabled and (2) the object is used by other
+        // instructions (if the object is *not* used by other instructions,
+        // zeroing its register is pointless).
+        return JitOptions.spectreObjectMitigationsMisc && !allocator.isDeadAfterInstruction(objId);
+    }
+
     void emitLoadTypedObjectResultShared(const Address& fieldAddr, Register scratch,
                                          uint32_t typeDescr,
                                          const AutoOutputRegister& output);
 
     void emitStoreTypedObjectReferenceProp(ValueOperand val, ReferenceTypeDescr::Type type,
                                            const Address& dest, Register scratch);
 
     void emitRegisterEnumerator(Register enumeratorsList, Register iter, Register scratch);
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -955,17 +955,17 @@ CodeGenerator::visitFunctionDispatch(LFu
         lastLabel = skipTrivialBlocks(mir->getFallback())->lir()->label();
     }
 
     // Compare function pointers, except for the last case.
     for (size_t i = 0; i < casesWithFallback - 1; i++) {
         MOZ_ASSERT(i < mir->numCases());
         LBlock* target = skipTrivialBlocks(mir->getCaseBlock(i))->lir();
         if (ObjectGroup* funcGroup = mir->getCaseObjectGroup(i)) {
-            masm.branchTestObjGroup(Assembler::Equal, input, funcGroup, target->label());
+            masm.branchTestObjGroupUnsafe(Assembler::Equal, input, funcGroup, target->label());
         } else {
             JSFunction* func = mir->getCase(i);
             masm.branchPtr(Assembler::Equal, input, ImmGCPtr(func), target->label());
         }
     }
 
     // Jump to the last case.
     masm.jump(lastLabel);
@@ -2513,17 +2513,17 @@ CodeGenerator::visitRegExpPrototypeOptim
     addOutOfLineCode(ool, ins->mir());
 
     masm.loadJSContext(temp);
     masm.loadPtr(Address(temp, JSContext::offsetOfCompartment()), temp);
     size_t offset = JSCompartment::offsetOfRegExps() +
                     RegExpCompartment::offsetOfOptimizableRegExpPrototypeShape();
     masm.loadPtr(Address(temp, offset), temp);
 
-    masm.branchTestObjShape(Assembler::NotEqual, object, temp, ool->entry());
+    masm.branchTestObjShapeUnsafe(Assembler::NotEqual, object, temp, ool->entry());
     masm.move32(Imm32(0x1), output);
 
     masm.bind(ool->rejoin());
 }
 
 void
 CodeGenerator::visitOutOfLineRegExpPrototypeOptimizable(OutOfLineRegExpPrototypeOptimizable* ool)
 {
@@ -2573,17 +2573,17 @@ CodeGenerator::visitRegExpInstanceOptimi
     addOutOfLineCode(ool, ins->mir());
 
     masm.loadJSContext(temp);
     masm.loadPtr(Address(temp, JSContext::offsetOfCompartment()), temp);
     size_t offset = JSCompartment::offsetOfRegExps() +
                     RegExpCompartment::offsetOfOptimizableRegExpInstanceShape();
     masm.loadPtr(Address(temp, offset), temp);
 
-    masm.branchTestObjShape(Assembler::NotEqual, object, temp, ool->entry());
+    masm.branchTestObjShapeUnsafe(Assembler::NotEqual, object, temp, ool->entry());
     masm.move32(Imm32(0x1), output);
 
     masm.bind(ool->rejoin());
 }
 
 void
 CodeGenerator::visitOutOfLineRegExpInstanceOptimizable(OutOfLineRegExpInstanceOptimizable* ool)
 {
@@ -3463,54 +3463,58 @@ CodeGenerator::visitStoreSlotV(LStoreSlo
     if (lir->mir()->needsBarrier())
        emitPreBarrier(Address(base, offset));
 
     masm.storeValue(value, Address(base, offset));
 }
 
 static void
 GuardReceiver(MacroAssembler& masm, const ReceiverGuard& guard,
-              Register obj, Register scratch, Label* miss, bool checkNullExpando)
+              Register obj, Register expandoScratch, Register scratch, Label* miss,
+              bool checkNullExpando)
 {
     if (guard.group) {
-        masm.branchTestObjGroup(Assembler::NotEqual, obj, guard.group, miss);
+        masm.branchTestObjGroup(Assembler::NotEqual, obj, guard.group, scratch, obj, miss);
 
         Address expandoAddress(obj, UnboxedPlainObject::offsetOfExpando());
         if (guard.shape) {
-            masm.loadPtr(expandoAddress, scratch);
-            masm.branchPtr(Assembler::Equal, scratch, ImmWord(0), miss);
-            masm.branchTestObjShape(Assembler::NotEqual, scratch, guard.shape, miss);
+            masm.loadPtr(expandoAddress, expandoScratch);
+            masm.branchPtr(Assembler::Equal, expandoScratch, ImmWord(0), miss);
+            masm.branchTestObjShape(Assembler::NotEqual, expandoScratch, guard.shape, scratch,
+                                    expandoScratch, miss);
         } else if (checkNullExpando) {
             masm.branchPtr(Assembler::NotEqual, expandoAddress, ImmWord(0), miss);
         }
     } else {
-        masm.branchTestObjShape(Assembler::NotEqual, obj, guard.shape, miss);
-    }
-}
-
-void
-CodeGenerator::emitGetPropertyPolymorphic(LInstruction* ins, Register obj, Register scratch,
+        masm.branchTestObjShape(Assembler::NotEqual, obj, guard.shape, scratch, obj, miss);
+    }
+}
+
+void
+CodeGenerator::emitGetPropertyPolymorphic(LInstruction* ins, Register obj, Register expandoScratch,
+                                          Register scratch,
                                           const TypedOrValueRegister& output)
 {
     MGetPropertyPolymorphic* mir = ins->mirRaw()->toGetPropertyPolymorphic();
 
     Label done;
 
     for (size_t i = 0; i < mir->numReceivers(); i++) {
         ReceiverGuard receiver = mir->receiver(i);
 
         Label next;
         masm.comment("GuardReceiver");
-        GuardReceiver(masm, receiver, obj, scratch, &next, /* checkNullExpando = */ false);
+        GuardReceiver(masm, receiver, obj, expandoScratch, scratch, &next,
+                      /* checkNullExpando = */ false);
 
         if (receiver.shape) {
             masm.comment("loadTypedOrValue");
             // If this is an unboxed expando access, GuardReceiver loaded the
-            // expando object into scratch.
-            Register target = receiver.group ? scratch : obj;
+            // expando object into expandoScratch.
+            Register target = receiver.group ? expandoScratch : obj;
 
             Shape* shape = mir->shape(i);
             if (shape->slot() < shape->numFixedSlots()) {
                 // Fixed slot.
                 masm.loadTypedOrValue(Address(target, NativeObject::getFixedSlotOffset(shape->slot())),
                                       output);
             } else {
                 // Dynamic slot.
@@ -3538,59 +3542,62 @@ CodeGenerator::emitGetPropertyPolymorphi
     masm.bind(&done);
 }
 
 void
 CodeGenerator::visitGetPropertyPolymorphicV(LGetPropertyPolymorphicV* ins)
 {
     Register obj = ToRegister(ins->obj());
     ValueOperand output = ToOutValue(ins);
-    emitGetPropertyPolymorphic(ins, obj, output.scratchReg(), output);
+    Register temp = ToRegister(ins->temp());
+    emitGetPropertyPolymorphic(ins, obj, output.scratchReg(), temp, output);
 }
 
 void
 CodeGenerator::visitGetPropertyPolymorphicT(LGetPropertyPolymorphicT* ins)
 {
     Register obj = ToRegister(ins->obj());
     TypedOrValueRegister output(ins->mir()->type(), ToAnyRegister(ins->output()));
-    Register temp = (output.type() == MIRType::Double)
-                    ? ToRegister(ins->temp())
-                    : output.typedReg().gpr();
-    emitGetPropertyPolymorphic(ins, obj, temp, output);
+    Register temp1 = ToRegister(ins->temp1());
+    Register temp2 = (output.type() == MIRType::Double)
+                     ? ToRegister(ins->temp2())
+                     : output.typedReg().gpr();
+    emitGetPropertyPolymorphic(ins, obj, temp1, temp2, output);
 }
 
 template <typename T>
 static void
 EmitUnboxedPreBarrier(MacroAssembler &masm, T address, JSValueType type)
 {
     if (type == JSVAL_TYPE_OBJECT)
         masm.guardedCallPreBarrier(address, MIRType::Object);
     else if (type == JSVAL_TYPE_STRING)
         masm.guardedCallPreBarrier(address, MIRType::String);
     else
         MOZ_ASSERT(!UnboxedTypeNeedsPreBarrier(type));
 }
 
 void
-CodeGenerator::emitSetPropertyPolymorphic(LInstruction* ins, Register obj, Register scratch,
-                                          const ConstantOrRegister& value)
+CodeGenerator::emitSetPropertyPolymorphic(LInstruction* ins, Register obj, Register expandoScratch,
+                                          Register scratch, const ConstantOrRegister& value)
 {
     MSetPropertyPolymorphic* mir = ins->mirRaw()->toSetPropertyPolymorphic();
 
     Label done;
     for (size_t i = 0; i < mir->numReceivers(); i++) {
         ReceiverGuard receiver = mir->receiver(i);
 
         Label next;
-        GuardReceiver(masm, receiver, obj, scratch, &next, /* checkNullExpando = */ false);
+        GuardReceiver(masm, receiver, obj, expandoScratch, scratch, &next,
+                      /* checkNullExpando = */ false);
 
         if (receiver.shape) {
             // If this is an unboxed expando access, GuardReceiver loaded the
-            // expando object into scratch.
-            Register target = receiver.group ? scratch : obj;
+            // expando object into expandoScratch.
+            Register target = receiver.group ? expandoScratch : obj;
 
             Shape* shape = mir->shape(i);
             if (shape->slot() < shape->numFixedSlots()) {
                 // Fixed slot.
                 Address addr(target, NativeObject::getFixedSlotOffset(shape->slot()));
                 if (mir->needsBarrier())
                     emitPreBarrier(addr);
                 masm.storeConstantOrRegister(value, addr);
@@ -3621,34 +3628,36 @@ CodeGenerator::emitSetPropertyPolymorphi
 
     masm.bind(&done);
 }
 
 void
 CodeGenerator::visitSetPropertyPolymorphicV(LSetPropertyPolymorphicV* ins)
 {
     Register obj = ToRegister(ins->obj());
-    Register temp = ToRegister(ins->temp());
+    Register temp1 = ToRegister(ins->temp1());
+    Register temp2 = ToRegister(ins->temp2());
     ValueOperand value = ToValue(ins, LSetPropertyPolymorphicV::Value);
-    emitSetPropertyPolymorphic(ins, obj, temp, TypedOrValueRegister(value));
+    emitSetPropertyPolymorphic(ins, obj, temp1, temp2, TypedOrValueRegister(value));
 }
 
 void
 CodeGenerator::visitSetPropertyPolymorphicT(LSetPropertyPolymorphicT* ins)
 {
     Register obj = ToRegister(ins->obj());
-    Register temp = ToRegister(ins->temp());
+    Register temp1 = ToRegister(ins->temp1());
+    Register temp2 = ToRegister(ins->temp2());
 
     ConstantOrRegister value;
     if (ins->mir()->value()->isConstant())
         value = ConstantOrRegister(ins->mir()->value()->toConstant()->toJSValue());
     else
         value = TypedOrValueRegister(ins->mir()->value()->type(), ToAnyRegister(ins->value()));
 
-    emitSetPropertyPolymorphic(ins, obj, temp, value);
+    emitSetPropertyPolymorphic(ins, obj, temp1, temp2, value);
 }
 
 void
 CodeGenerator::visitElements(LElements* lir)
 {
     Address elements(ToRegister(lir->object()), NativeObject::offsetOfElements());
     masm.loadPtr(elements, ToRegister(lir->output()));
 }
@@ -3790,39 +3799,31 @@ CodeGenerator::visitCopyLexicalEnvironme
     pushArg(ToRegister(lir->env()));
     callVM(CopyLexicalEnvironmentObjectInfo, lir);
 }
 
 void
 CodeGenerator::visitGuardShape(LGuardShape* guard)
 {
     Register obj = ToRegister(guard->input());
+    Register temp = ToTempRegisterOrInvalid(guard->temp());
     Label bail;
-    masm.branchTestObjShape(Assembler::NotEqual, obj, guard->mir()->shape(), &bail);
+    masm.branchTestObjShape(Assembler::NotEqual, obj, guard->mir()->shape(), temp, obj, &bail);
     bailoutFrom(&bail, guard->snapshot());
 }
 
 void
 CodeGenerator::visitGuardObjectGroup(LGuardObjectGroup* guard)
 {
     Register obj = ToRegister(guard->input());
+    Register temp = ToTempRegisterOrInvalid(guard->temp());
     Assembler::Condition cond =
         guard->mir()->bailOnEquality() ? Assembler::Equal : Assembler::NotEqual;
     Label bail;
-    masm.branchTestObjGroup(cond, obj, guard->mir()->group(), &bail);
-    bailoutFrom(&bail, guard->snapshot());
-}
-
-void
-CodeGenerator::visitGuardClass(LGuardClass* guard)
-{
-    Register obj = ToRegister(guard->input());
-    Register tmp = ToRegister(guard->tempInt());
-    Label bail;
-    masm.branchTestObjClass(Assembler::NotEqual, obj, tmp, guard->mir()->getClass(), &bail);
+    masm.branchTestObjGroup(cond, obj, guard->mir()->group(), temp, obj, &bail);
     bailoutFrom(&bail, guard->snapshot());
 }
 
 void
 CodeGenerator::visitGuardObjectIdentity(LGuardObjectIdentity* guard)
 {
     Register input = ToRegister(guard->input());
     Register expected = ToRegister(guard->expected());
@@ -3832,25 +3833,26 @@ CodeGenerator::visitGuardObjectIdentity(
     bailoutCmpPtr(cond, input, expected, guard->snapshot());
 }
 
 void
 CodeGenerator::visitGuardReceiverPolymorphic(LGuardReceiverPolymorphic* lir)
 {
     const MGuardReceiverPolymorphic* mir = lir->mir();
     Register obj = ToRegister(lir->object());
-    Register temp = ToRegister(lir->temp());
+    Register temp1 = ToRegister(lir->temp1());
+    Register temp2 = ToRegister(lir->temp2());
 
     Label done;
 
     for (size_t i = 0; i < mir->numReceivers(); i++) {
         const ReceiverGuard& receiver = mir->receiver(i);
 
         Label next;
-        GuardReceiver(masm, receiver, obj, temp, &next, /* checkNullExpando = */ true);
+        GuardReceiver(masm, receiver, obj, temp1, temp2, &next, /* checkNullExpando = */ true);
 
         if (i == mir->numReceivers() - 1) {
             bailoutFrom(&next, lir->snapshot());
         } else {
             masm.jump(&done);
             masm.bind(&next);
         }
     }
@@ -4512,18 +4514,18 @@ CodeGenerator::visitCallGeneric(LCallGen
 
     // Known-target case is handled by LCallKnown.
     MOZ_ASSERT(!call->hasSingleTarget());
 
     masm.checkStackAlignment();
 
     // Guard that calleereg is actually a function object.
     if (call->mir()->needsClassCheck()) {
-        masm.branchTestObjClass(Assembler::NotEqual, calleereg, nargsreg, &JSFunction::class_,
-                                &invoke);
+        masm.branchTestObjClass(Assembler::NotEqual, calleereg, &JSFunction::class_, nargsreg,
+                                calleereg, &invoke);
     }
 
     // Guard that calleereg is an interpreted function with a JSScript or a
     // wasm function.
     // If we are constructing, also ensure the callee is a constructor.
     if (call->mir()->isConstructing()) {
         masm.branchIfNotInterpretedConstructor(calleereg, nargsreg, &invoke);
     } else {
@@ -4912,18 +4914,18 @@ CodeGenerator::emitApplyGeneric(T* apply
 
     // Holds the function nargs, computed in the invoker or (for
     // ApplyArray) in the argument pusher.
     Register argcreg = ToRegister(apply->getArgc());
 
     // Unless already known, guard that calleereg is actually a function object.
     if (!apply->hasSingleTarget()) {
         Label bail;
-        masm.branchTestObjClass(Assembler::NotEqual, calleereg, objreg, &JSFunction::class_,
-                                &bail);
+        masm.branchTestObjClass(Assembler::NotEqual, calleereg, &JSFunction::class_, objreg,
+                                calleereg, &bail);
         bailoutFrom(&bail, apply->snapshot());
     }
 
     // Copy the arguments of the current function.
     //
     // In the case of ApplyArray, also compute argc: the argc register
     // and the elements register are the same; argc must not be
     // referenced before the call to emitPushArguments() and elements
@@ -6994,18 +6996,20 @@ CodeGenerator::emitGetNextEntryForIterat
     Register dataLength = ToRegister(lir->temp1());
     Register range = ToRegister(lir->temp2());
     Register output = ToRegister(lir->output());
 
 #ifdef DEBUG
     // Self-hosted code is responsible for ensuring GetNextEntryForIterator is
     // only called with the correct iterator class. Assert here all self-
     // hosted callers of GetNextEntryForIterator perform this class check.
+    // No Spectre mitigations are needed because this is DEBUG-only code.
     Label success;
-    masm.branchTestObjClass(Assembler::Equal, iter, temp, &IteratorObject::class_, &success);
+    masm.branchTestObjClassNoSpectreMitigations(Assembler::Equal, iter, &IteratorObject::class_,
+                                                temp, &success);
     masm.assumeUnreachable("Iterator object should have the correct class.");
     masm.bind(&success);
 #endif
 
     masm.loadPrivate(Address(iter, NativeObject::getFixedSlotOffset(IteratorObject::RangeSlot)),
                      range);
 
     Label iterAlreadyDone, iterDone, done;
@@ -9296,30 +9300,33 @@ CodeGenerator::visitStoreUnboxedPointer(
         Address address(elements, ToInt32(index) * sizeof(uintptr_t) + offsetAdjustment);
         StoreUnboxedPointer(masm, address, type, value, preBarrier);
     } else {
         BaseIndex address(elements, ToRegister(index), ScalePointer, offsetAdjustment);
         StoreUnboxedPointer(masm, address, type, value, preBarrier);
     }
 }
 
-typedef bool (*ConvertUnboxedObjectToNativeFn)(JSContext*, JSObject*);
+typedef NativeObject* (*ConvertUnboxedObjectToNativeFn)(JSContext*, JSObject*);
 static const VMFunction ConvertUnboxedPlainObjectToNativeInfo =
     FunctionInfo<ConvertUnboxedObjectToNativeFn>(UnboxedPlainObject::convertToNative,
                                                  "UnboxedPlainObject::convertToNative");
 
 void
 CodeGenerator::visitConvertUnboxedObjectToNative(LConvertUnboxedObjectToNative* lir)
 {
     Register object = ToRegister(lir->getOperand(0));
-
+    Register temp = ToTempRegisterOrInvalid(lir->temp());
+
+    // The call will return the same object so StoreRegisterTo(object) is safe.
     OutOfLineCode* ool = oolCallVM(ConvertUnboxedPlainObjectToNativeInfo,
-                                   lir, ArgList(object), StoreNothing());
-
-    masm.branchTestObjGroup(Assembler::Equal, object, lir->mir()->group(), ool->entry());
+                                   lir, ArgList(object), StoreRegisterTo(object));
+
+    masm.branchTestObjGroup(Assembler::Equal, object, lir->mir()->group(), temp, object,
+                            ool->entry());
     masm.bind(ool->rejoin());
 }
 
 typedef bool (*ArrayPopShiftFn)(JSContext*, HandleObject, MutableHandleValue);
 static const VMFunction ArrayPopDenseInfo =
     FunctionInfo<ArrayPopShiftFn>(jit::ArrayPopDense, "ArrayPopDense");
 static const VMFunction ArrayShiftDenseInfo =
     FunctionInfo<ArrayPopShiftFn>(jit::ArrayShiftDense, "ArrayShiftDense");
@@ -9589,17 +9596,18 @@ CodeGenerator::visitGetIteratorCache(LGe
 }
 
 static void
 LoadNativeIterator(MacroAssembler& masm, Register obj, Register dest, Label* failures)
 {
     MOZ_ASSERT(obj != dest);
 
     // Test class.
-    masm.branchTestObjClass(Assembler::NotEqual, obj, dest, &PropertyIteratorObject::class_, failures);
+    masm.branchTestObjClass(Assembler::NotEqual, obj, &PropertyIteratorObject::class_, dest,
+                            obj, failures);
 
     // Load NativeIterator object.
     masm.loadObjPrivate(obj, JSObject::ITER_CLASS_NFIXED_SLOTS, dest);
 }
 
 typedef bool (*IteratorMoreFn)(JSContext*, HandleObject, MutableHandleValue);
 static const VMFunction IteratorMoreInfo =
     FunctionInfo<IteratorMoreFn>(IteratorMore, "IteratorMore");
@@ -13121,17 +13129,18 @@ CodeGenerator::visitFinishBoundFunctionI
 
     OutOfLineCode* ool = oolCallVM(FinishBoundFunctionInitInfo, lir,
                                    ArgList(bound, target, argCount), StoreNothing());
     Label* slowPath = ool->entry();
 
     const size_t boundLengthOffset = FunctionExtended::offsetOfExtendedSlot(BOUND_FUN_LENGTH_SLOT);
 
     // Take the slow path if the target is not a JSFunction.
-    masm.branchTestObjClass(Assembler::NotEqual, target, temp1, &JSFunction::class_, slowPath);
+    masm.branchTestObjClass(Assembler::NotEqual, target, &JSFunction::class_, temp1, target,
+                            slowPath);
 
     // Take the slow path if we'd need to adjust the [[Prototype]].
     masm.loadObjProto(bound, temp1);
     masm.loadObjProto(target, temp2);
     masm.branchPtr(Assembler::NotEqual, temp1, temp2, slowPath);
 
     // Get the function flags.
     masm.load16ZeroExtend(Address(target, JSFunction::offsetOfFlags()), temp1);
--- a/js/src/jit/CodeGenerator.h
+++ b/js/src/jit/CodeGenerator.h
@@ -152,17 +152,16 @@ class CodeGenerator final : public CodeG
     void visitStoreSlotT(LStoreSlotT* lir);
     void visitStoreSlotV(LStoreSlotV* lir);
     void visitElements(LElements* lir);
     void visitConvertElementsToDoubles(LConvertElementsToDoubles* lir);
     void visitMaybeToDoubleElement(LMaybeToDoubleElement* lir);
     void visitMaybeCopyElementsForWrite(LMaybeCopyElementsForWrite* lir);
     void visitGuardShape(LGuardShape* guard);
     void visitGuardObjectGroup(LGuardObjectGroup* guard);
-    void visitGuardClass(LGuardClass* guard);
     void visitGuardObjectIdentity(LGuardObjectIdentity* guard);
     void visitGuardReceiverPolymorphic(LGuardReceiverPolymorphic* lir);
     void visitGuardUnboxedExpando(LGuardUnboxedExpando* lir);
     void visitLoadUnboxedExpando(LLoadUnboxedExpando* lir);
     void visitTypeBarrierV(LTypeBarrierV* lir);
     void visitTypeBarrierO(LTypeBarrierO* lir);
     void emitPostWriteBarrier(const LAllocation* obj);
     void emitPostWriteBarrier(Register objreg);
@@ -257,21 +256,21 @@ class CodeGenerator final : public CodeG
     void visitBoundsCheckRange(LBoundsCheckRange* lir);
     void visitBoundsCheckLower(LBoundsCheckLower* lir);
     void visitSpectreMaskIndex(LSpectreMaskIndex* lir);
     void visitLoadFixedSlotV(LLoadFixedSlotV* ins);
     void visitLoadFixedSlotAndUnbox(LLoadFixedSlotAndUnbox* lir);
     void visitLoadFixedSlotT(LLoadFixedSlotT* ins);
     void visitStoreFixedSlotV(LStoreFixedSlotV* ins);
     void visitStoreFixedSlotT(LStoreFixedSlotT* ins);
-    void emitGetPropertyPolymorphic(LInstruction* lir, Register obj,
+    void emitGetPropertyPolymorphic(LInstruction* lir, Register obj, Register expandoScratch,
                                     Register scratch, const TypedOrValueRegister& output);
     void visitGetPropertyPolymorphicV(LGetPropertyPolymorphicV* ins);
     void visitGetPropertyPolymorphicT(LGetPropertyPolymorphicT* ins);
-    void emitSetPropertyPolymorphic(LInstruction* lir, Register obj,
+    void emitSetPropertyPolymorphic(LInstruction* lir, Register obj, Register expandoScratch,
                                     Register scratch, const ConstantOrRegister& value);
     void visitSetPropertyPolymorphicV(LSetPropertyPolymorphicV* ins);
     void visitSetPropertyPolymorphicT(LSetPropertyPolymorphicT* ins);
     void visitAbsI(LAbsI* lir);
     void visitAtan2D(LAtan2D* lir);
     void visitHypot(LHypot* lir);
     void visitPowI(LPowI* lir);
     void visitPowD(LPowD* lir);
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -3537,18 +3537,22 @@ TryOptimizeLoadObjectOrNull(MDefinition*
 
 static inline MDefinition*
 PassthroughOperand(MDefinition* def)
 {
     if (def->isConvertElementsToDoubles())
         return def->toConvertElementsToDoubles()->elements();
     if (def->isMaybeCopyElementsForWrite())
         return def->toMaybeCopyElementsForWrite()->object();
-    if (def->isConvertUnboxedObjectToNative())
-        return def->toConvertUnboxedObjectToNative()->object();
+    if (!JitOptions.spectreObjectMitigationsMisc) {
+        // If Spectre mitigations are enabled, LConvertUnboxedObjectToNative
+        // needs to have its own def.
+        if (def->isConvertUnboxedObjectToNative())
+            return def->toConvertUnboxedObjectToNative()->object();
+    }
     return nullptr;
 }
 
 // Eliminate checks which are redundant given each other or other instructions.
 //
 // A type barrier is considered redundant if all missing types have been tested
 // for by earlier control instructions.
 //
--- a/js/src/jit/IonCacheIRCompiler.cpp
+++ b/js/src/jit/IonCacheIRCompiler.cpp
@@ -623,38 +623,66 @@ IonCacheIRCompiler::compile()
     }
 
     return newStubCode;
 }
 
 bool
 IonCacheIRCompiler::emitGuardShape()
 {
-    Register obj = allocator.useRegister(masm, reader.objOperandId());
+    ObjOperandId objId = reader.objOperandId();
+    Register obj = allocator.useRegister(masm, objId);
     Shape* shape = shapeStubField(reader.stubOffset());
 
+    bool needSpectreMitigations = objectGuardNeedsSpectreMitigations(objId);
+
+    Maybe<AutoScratchRegister> maybeScratch;
+    if (needSpectreMitigations)
+        maybeScratch.emplace(allocator, masm);
+
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
-    masm.branchTestObjShape(Assembler::NotEqual, obj, shape, failure->label());
+    if (needSpectreMitigations) {
+        masm.branchTestObjShape(Assembler::NotEqual, obj, shape, *maybeScratch, obj,
+                                failure->label());
+    } else {
+        masm.branchTestObjShapeNoSpectreMitigations(Assembler::NotEqual, obj, shape,
+                                                    failure->label());
+    }
+
     return true;
 }
 
 bool
 IonCacheIRCompiler::emitGuardGroup()
 {
-    Register obj = allocator.useRegister(masm, reader.objOperandId());
+    ObjOperandId objId = reader.objOperandId();
+    Register obj = allocator.useRegister(masm, objId);
     ObjectGroup* group = groupStubField(reader.stubOffset());
 
+    bool needSpectreMitigations = objectGuardNeedsSpectreMitigations(objId);
+
+    Maybe<AutoScratchRegister> maybeScratch;
+    if (needSpectreMitigations)
+        maybeScratch.emplace(allocator, masm);
+
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
-    masm.branchTestObjGroup(Assembler::NotEqual, obj, group, failure->label());
+    if (needSpectreMitigations) {
+        masm.branchTestObjGroup(Assembler::NotEqual, obj, group, *maybeScratch, obj,
+                                failure->label());
+    } else {
+        masm.branchTestObjGroupNoSpectreMitigations(Assembler::NotEqual, obj, group,
+                                                    failure->label());
+    }
+
     return true;
 }
 
 bool
 IonCacheIRCompiler::emitGuardGroupHasUnanalyzedNewScript()
 {
     ObjectGroup* group = groupStubField(reader.stubOffset());
     AutoScratchRegister scratch1(allocator, masm);
@@ -702,26 +730,33 @@ IonCacheIRCompiler::emitGuardCompartment
     masm.branchTestObjCompartment(Assembler::NotEqual, obj, compartment, scratch,
                                   failure->label());
     return true;
 }
 
 bool
 IonCacheIRCompiler::emitGuardAnyClass()
 {
-    Register obj = allocator.useRegister(masm, reader.objOperandId());
+    ObjOperandId objId = reader.objOperandId();
+    Register obj = allocator.useRegister(masm, objId);
     AutoScratchRegister scratch(allocator, masm);
 
     const Class* clasp = classStubField(reader.stubOffset());
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
-    masm.branchTestObjClass(Assembler::NotEqual, obj, scratch, clasp, failure->label());
+    if (objectGuardNeedsSpectreMitigations(objId)) {
+        masm.branchTestObjClass(Assembler::NotEqual, obj, clasp, scratch, obj, failure->label());
+    } else {
+        masm.branchTestObjClassNoSpectreMitigations(Assembler::NotEqual, obj, clasp, scratch,
+                                                    failure->label());
+    }
+
     return true;
 }
 
 bool
 IonCacheIRCompiler::emitGuardHasProxyHandler()
 {
     Register obj = allocator.useRegister(masm, reader.objOperandId());
     const void* handler = proxyHandlerStubField(reader.stubOffset());
@@ -812,19 +847,21 @@ bool
 IonCacheIRCompiler::emitGuardXrayExpandoShapeAndDefaultProto()
 {
     Register obj = allocator.useRegister(masm, reader.objOperandId());
     bool hasExpando = reader.readBool();
     JSObject* shapeWrapper = objectStubField(reader.stubOffset());
     MOZ_ASSERT(hasExpando == !!shapeWrapper);
 
     AutoScratchRegister scratch(allocator, masm);
-    Maybe<AutoScratchRegister> scratch2;
-    if (hasExpando)
+    Maybe<AutoScratchRegister> scratch2, scratch3;
+    if (hasExpando) {
         scratch2.emplace(allocator, masm);
+        scratch3.emplace(allocator, masm);
+    }
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     masm.loadPtr(Address(obj, ProxyObject::offsetOfReservedSlots()), scratch);
     Address holderAddress(scratch, sizeof(Value) * GetXrayJitInfo()->xrayHolderSlot);
     Address expandoAddress(scratch, NativeObject::getFixedSlotOffset(GetXrayJitInfo()->holderExpandoSlot));
@@ -836,17 +873,18 @@ IonCacheIRCompiler::emitGuardXrayExpando
         masm.unboxObject(expandoAddress, scratch);
 
         // Unwrap the expando before checking its shape.
         masm.loadPtr(Address(scratch, ProxyObject::offsetOfReservedSlots()), scratch);
         masm.unboxObject(Address(scratch, detail::ProxyReservedSlots::offsetOfPrivateSlot()), scratch);
 
         masm.movePtr(ImmGCPtr(shapeWrapper), scratch2.ref());
         LoadShapeWrapperContents(masm, scratch2.ref(), scratch2.ref(), failure->label());
-        masm.branchTestObjShape(Assembler::NotEqual, scratch, scratch2.ref(), failure->label());
+        masm.branchTestObjShape(Assembler::NotEqual, scratch, *scratch2, *scratch3, scratch,
+                                failure->label());
 
         // The reserved slots on the expando should all be in fixed slots.
         Address protoAddress(scratch, NativeObject::getFixedSlotOffset(GetXrayJitInfo()->expandoProtoSlot));
         masm.branchTestUndefined(Assembler::NotEqual, protoAddress, failure->label());
     } else {
         Label done;
         masm.branchTestObject(Assembler::NotEqual, holderAddress, &done);
         masm.unboxObject(holderAddress, scratch);
@@ -2358,17 +2396,20 @@ IonCacheIRCompiler::emitGuardDOMExpandoM
     if (!addFailurePath(&failure))
         return false;
 
     Label done;
     masm.branchTestUndefined(Assembler::Equal, val, &done);
 
     masm.debugAssertIsObject(val);
     masm.unboxObject(val, objScratch);
-    masm.branchTestObjShape(Assembler::NotEqual, objScratch, shape, failure->label());
+    // The expando object is not used in this case, so we don't need Spectre
+    // mitigations.
+    masm.branchTestObjShapeNoSpectreMitigations(Assembler::NotEqual, objScratch, shape,
+                                                failure->label());
 
     masm.bind(&done);
     return true;
 }
 
 bool
 IonCacheIRCompiler::emitLoadDOMExpandoValueGuardGeneration()
 {
--- a/js/src/jit/JitOptions.cpp
+++ b/js/src/jit/JitOptions.cpp
@@ -231,16 +231,17 @@ DefaultJitOptions::DefaultJitOptions()
     if (const char* env = getenv(forcedRegisterAllocatorEnv)) {
         forcedRegisterAllocator = LookupRegisterAllocator(env);
         if (!forcedRegisterAllocator.isSome())
             Warn(forcedRegisterAllocatorEnv, env);
     }
 
     SET_DEFAULT(spectreIndexMasking, true);
     SET_DEFAULT(spectreObjectMitigationsBarriers, true);
+    SET_DEFAULT(spectreObjectMitigationsMisc, false);
     SET_DEFAULT(spectreStringMitigations, true);
     SET_DEFAULT(spectreValueMasking, true);
     SET_DEFAULT(spectreJitToCxxCalls, true);
 
     // Toggles whether unboxed plain objects can be created by the VM.
     SET_DEFAULT(disableUnboxedObjects, false);
 
     // Test whether Atomics are allowed in asm.js code.
--- a/js/src/jit/JitOptions.h
+++ b/js/src/jit/JitOptions.h
@@ -95,16 +95,17 @@ struct DefaultJitOptions
     mozilla::Maybe<uint32_t> forcedDefaultIonSmallFunctionWarmUpThreshold;
     mozilla::Maybe<IonRegisterAllocator> forcedRegisterAllocator;
 
     // Spectre mitigation flags. Each mitigation has its own flag in order to
     // measure the effectiveness of each mitigation with various proof of
     // concept.
     bool spectreIndexMasking;
     bool spectreObjectMitigationsBarriers;
+    bool spectreObjectMitigationsMisc;
     bool spectreStringMitigations;
     bool spectreValueMasking;
     bool spectreJitToCxxCalls;
 
     // The options below affect the rest of the VM, and not just the JIT.
     bool disableUnboxedObjects;
 
     DefaultJitOptions();
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@@ -3495,19 +3495,29 @@ LIRGenerator::visitStoreUnboxedString(MS
 
     LInstruction* lir = new(alloc()) LStoreUnboxedPointer(elements, index, value);
     add(lir, ins);
 }
 
 void
 LIRGenerator::visitConvertUnboxedObjectToNative(MConvertUnboxedObjectToNative* ins)
 {
-    LInstruction* check = new(alloc()) LConvertUnboxedObjectToNative(useRegister(ins->object()));
-    add(check, ins);
-    assignSafepoint(check, ins);
+    MOZ_ASSERT(ins->object()->type() == MIRType::Object);
+
+    if (JitOptions.spectreObjectMitigationsMisc) {
+        auto* lir = new(alloc()) LConvertUnboxedObjectToNative(useRegisterAtStart(ins->object()),
+                                                               temp());
+        defineReuseInput(lir, ins, 0);
+        assignSafepoint(lir, ins);
+    } else {
+        auto* lir = new(alloc()) LConvertUnboxedObjectToNative(useRegister(ins->object()),
+                                                               LDefinition::BogusTemp());
+        add(lir, ins);
+        assignSafepoint(lir, ins);
+    }
 }
 
 void
 LIRGenerator::visitEffectiveAddress(MEffectiveAddress* ins)
 {
     define(new(alloc()) LEffectiveAddress(useRegister(ins->base()), useRegister(ins->index())), ins);
 }
 
@@ -3928,45 +3938,46 @@ LIRGenerator::visitGetPropertyCache(MGet
 
 void
 LIRGenerator::visitGetPropertyPolymorphic(MGetPropertyPolymorphic* ins)
 {
     MOZ_ASSERT(ins->object()->type() == MIRType::Object);
 
     if (ins->type() == MIRType::Value) {
         LGetPropertyPolymorphicV* lir =
-            new(alloc()) LGetPropertyPolymorphicV(useRegister(ins->object()));
+            new(alloc()) LGetPropertyPolymorphicV(useRegister(ins->object()), temp());
         assignSnapshot(lir, Bailout_ShapeGuard);
         defineBox(lir, ins);
     } else {
-        LDefinition maybeTemp = (ins->type() == MIRType::Double) ? temp() : LDefinition::BogusTemp();
+        LDefinition maybeTemp2 =
+            (ins->type() == MIRType::Double) ? temp() : LDefinition::BogusTemp();
         LGetPropertyPolymorphicT* lir =
-            new(alloc()) LGetPropertyPolymorphicT(useRegister(ins->object()), maybeTemp);
+            new(alloc()) LGetPropertyPolymorphicT(useRegister(ins->object()), temp(), maybeTemp2);
         assignSnapshot(lir, Bailout_ShapeGuard);
         define(lir, ins);
     }
 }
 
 void
 LIRGenerator::visitSetPropertyPolymorphic(MSetPropertyPolymorphic* ins)
 {
     MOZ_ASSERT(ins->object()->type() == MIRType::Object);
 
     if (ins->value()->type() == MIRType::Value) {
         LSetPropertyPolymorphicV* lir =
             new(alloc()) LSetPropertyPolymorphicV(useRegister(ins->object()),
                                                   useBox(ins->value()),
-                                                  temp());
+                                                  temp(), temp());
         assignSnapshot(lir, Bailout_ShapeGuard);
         add(lir, ins);
     } else {
         LAllocation value = useRegisterOrConstant(ins->value());
         LSetPropertyPolymorphicT* lir =
             new(alloc()) LSetPropertyPolymorphicT(useRegister(ins->object()), value,
-                                                  ins->value()->type(), temp());
+                                                  ins->value()->type(), temp(), temp());
         assignSnapshot(lir, Bailout_ShapeGuard);
         add(lir, ins);
     }
 }
 
 void
 LIRGenerator::visitBindNameCache(MBindNameCache* ins)
 {
@@ -3998,39 +4009,45 @@ LIRGenerator::visitGuardObjectIdentity(M
     redefine(ins, ins->object());
 }
 
 void
 LIRGenerator::visitGuardShape(MGuardShape* ins)
 {
     MOZ_ASSERT(ins->object()->type() == MIRType::Object);
 
-    LGuardShape* guard = new(alloc()) LGuardShape(useRegisterAtStart(ins->object()));
-    assignSnapshot(guard, ins->bailoutKind());
-    add(guard, ins);
-    redefine(ins, ins->object());
+    if (JitOptions.spectreObjectMitigationsMisc) {
+        auto* lir = new(alloc()) LGuardShape(useRegisterAtStart(ins->object()), temp());
+        assignSnapshot(lir, ins->bailoutKind());
+        defineReuseInput(lir, ins, 0);
+    } else {
+        auto* lir = new(alloc()) LGuardShape(useRegister(ins->object()),
+                                             LDefinition::BogusTemp());
+        assignSnapshot(lir, ins->bailoutKind());
+        add(lir, ins);
+        redefine(ins, ins->object());
+    }
 }
 
 void
 LIRGenerator::visitGuardObjectGroup(MGuardObjectGroup* ins)
 {
     MOZ_ASSERT(ins->object()->type() == MIRType::Object);
 
-    LGuardObjectGroup* guard = new(alloc()) LGuardObjectGroup(useRegisterAtStart(ins->object()));
-    assignSnapshot(guard, ins->bailoutKind());
-    add(guard, ins);
-    redefine(ins, ins->object());
-}
-
-void
-LIRGenerator::visitGuardClass(MGuardClass* ins)
-{
-    LGuardClass* guard = new(alloc()) LGuardClass(useRegister(ins->object()), temp());
-    assignSnapshot(guard, Bailout_ObjectIdentityOrTypeGuard);
-    add(guard, ins);
+    if (JitOptions.spectreObjectMitigationsMisc) {
+        auto* lir = new(alloc()) LGuardObjectGroup(useRegisterAtStart(ins->object()), temp());
+        assignSnapshot(lir, ins->bailoutKind());
+        defineReuseInput(lir, ins, 0);
+    } else {
+        auto* lir = new(alloc()) LGuardObjectGroup(useRegister(ins->object()),
+                                                   LDefinition::BogusTemp());
+        assignSnapshot(lir, ins->bailoutKind());
+        add(lir, ins);
+        redefine(ins, ins->object());
+    }
 }
 
 void
 LIRGenerator::visitGuardObject(MGuardObject* ins)
 {
     // The type policy does all the work, so at this point the input
     // is guaranteed to be an object.
     MOZ_ASSERT(ins->input()->type() == MIRType::Object);
@@ -4064,21 +4081,28 @@ LIRGenerator::visitPolyInlineGuard(MPoly
 }
 
 void
 LIRGenerator::visitGuardReceiverPolymorphic(MGuardReceiverPolymorphic* ins)
 {
     MOZ_ASSERT(ins->object()->type() == MIRType::Object);
     MOZ_ASSERT(ins->type() == MIRType::Object);
 
-    LGuardReceiverPolymorphic* guard =
-        new(alloc()) LGuardReceiverPolymorphic(useRegister(ins->object()), temp());
-    assignSnapshot(guard, Bailout_ShapeGuard);
-    add(guard, ins);
-    redefine(ins, ins->object());
+    if (JitOptions.spectreObjectMitigationsMisc) {
+        auto* lir = new(alloc()) LGuardReceiverPolymorphic(useRegisterAtStart(ins->object()),
+                                                           temp(), temp());
+        assignSnapshot(lir, Bailout_ShapeGuard);
+        defineReuseInput(lir, ins, 0);
+    } else {
+        auto* lir = new(alloc()) LGuardReceiverPolymorphic(useRegister(ins->object()),
+                                                           temp(), temp());
+        assignSnapshot(lir, Bailout_ShapeGuard);
+        add(lir, ins);
+        redefine(ins, ins->object());
+    }
 }
 
 void
 LIRGenerator::visitGuardUnboxedExpando(MGuardUnboxedExpando* ins)
 {
     LGuardUnboxedExpando* guard =
         new(alloc()) LGuardUnboxedExpando(useRegister(ins->object()));
     assignSnapshot(guard, ins->bailoutKind());
--- a/js/src/jit/Lowering.h
+++ b/js/src/jit/Lowering.h
@@ -261,17 +261,16 @@ class LIRGenerator : public LIRGenerator
     void visitGetPropertyCache(MGetPropertyCache* ins) override;
     void visitGetPropertyPolymorphic(MGetPropertyPolymorphic* ins) override;
     void visitSetPropertyPolymorphic(MSetPropertyPolymorphic* ins) override;
     void visitBindNameCache(MBindNameCache* ins) override;
     void visitCallBindVar(MCallBindVar* ins) override;
     void visitGuardObjectIdentity(MGuardObjectIdentity* ins) override;
     void visitGuardShape(MGuardShape* ins) override;
     void visitGuardObjectGroup(MGuardObjectGroup* ins) override;
-    void visitGuardClass(MGuardClass* ins) override;
     void visitGuardObject(MGuardObject* ins) override;
     void visitGuardString(MGuardString* ins) override;
     void visitGuardReceiverPolymorphic(MGuardReceiverPolymorphic* ins) override;
     void visitGuardUnboxedExpando(MGuardUnboxedExpando* ins) override;
     void visitLoadUnboxedExpando(MLoadUnboxedExpando* ins) override;
     void visitPolyInlineGuard(MPolyInlineGuard* ins) override;
     void visitAssertRange(MAssertRange* ins) override;
     void visitCallGetProperty(MCallGetProperty* ins) override;
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -11757,53 +11757,16 @@ class MGuardObjectIdentity
             return false;
         return congruentIfOperandsEqual(ins);
     }
     AliasSet getAliasSet() const override {
         return AliasSet::Load(AliasSet::ObjectFields);
     }
 };
 
-// Guard on an object's class.
-class MGuardClass
-  : public MUnaryInstruction,
-    public SingleObjectPolicy::Data
-{
-    const Class* class_;
-
-    MGuardClass(MDefinition* obj, const Class* clasp)
-      : MUnaryInstruction(classOpcode, obj),
-        class_(clasp)
-    {
-        setGuard();
-        setMovable();
-    }
-
-  public:
-    INSTRUCTION_HEADER(GuardClass)
-    TRIVIAL_NEW_WRAPPERS
-    NAMED_OPERANDS((0, object))
-
-    const Class* getClass() const {
-        return class_;
-    }
-    bool congruentTo(const MDefinition* ins) const override {
-        if (!ins->isGuardClass())
-            return false;
-        if (getClass() != ins->toGuardClass()->getClass())
-            return false;
-        return congruentIfOperandsEqual(ins);
-    }
-    AliasSet getAliasSet() const override {
-        return AliasSet::Load(AliasSet::ObjectFields);
-    }
-
-    ALLOW_CLONE(MGuardClass)
-};
-
 // Guard on the presence or absence of an unboxed object's expando.
 class MGuardUnboxedExpando
   : public MUnaryInstruction,
     public SingleObjectPolicy::Data
 {
     bool requireExpando_;
     BailoutKind bailoutKind_;
 
--- a/js/src/jit/MOpcodes.h
+++ b/js/src/jit/MOpcodes.h
@@ -193,17 +193,16 @@ namespace jit {
     _(GetPropertyPolymorphic)                                               \
     _(SetPropertyPolymorphic)                                               \
     _(BindNameCache)                                                        \
     _(CallBindVar)                                                          \
     _(GuardShape)                                                           \
     _(GuardReceiverPolymorphic)                                             \
     _(GuardObjectGroup)                                                     \
     _(GuardObjectIdentity)                                                  \
-    _(GuardClass)                                                           \
     _(GuardUnboxedExpando)                                                  \
     _(LoadUnboxedExpando)                                                   \
     _(ArrayLength)                                                          \
     _(SetArrayLength)                                                       \
     _(GetNextEntryForIterator)                                              \
     _(TypedArrayLength)                                                     \
     _(TypedArrayElements)                                                   \
     _(SetDisjointTypedElements)                                             \
--- a/js/src/jit/MacroAssembler-inl.h
+++ b/js/src/jit/MacroAssembler-inl.h
@@ -487,54 +487,170 @@ MacroAssembler::branchFunctionKind(Condi
     int32_t mask = IMM32_16ADJ(JSFunction::FUNCTION_KIND_MASK);
     int32_t bit = IMM32_16ADJ(kind << JSFunction::FUNCTION_KIND_SHIFT);
     load32(address, scratch);
     and32(Imm32(mask), scratch);
     branch32(cond, scratch, Imm32(bit), label);
 }
 
 void
-MacroAssembler::branchTestObjClass(Condition cond, Register obj, Register scratch,
-                                   const js::Class* clasp, Label* label)
+MacroAssembler::branchTestObjClass(Condition cond, Register obj, const js::Class* clasp,
+                                   Register scratch, Register spectreRegToZero, Label* label)
+{
+    MOZ_ASSERT(obj != scratch);
+    MOZ_ASSERT(scratch != spectreRegToZero);
+
+    loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
+    branchPtr(cond, Address(scratch, ObjectGroup::offsetOfClasp()), ImmPtr(clasp), label);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        spectreZeroRegister(cond, scratch, spectreRegToZero);
+}
+
+void
+MacroAssembler::branchTestObjClassNoSpectreMitigations(Condition cond, Register obj,
+                                                       const js::Class* clasp,
+                                                       Register scratch, Label* label)
 {
     loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
     branchPtr(cond, Address(scratch, ObjectGroup::offsetOfClasp()), ImmPtr(clasp), label);
 }
 
 void
-MacroAssembler::branchTestObjClass(Condition cond, Register obj, Register scratch,
-                                   const Address& clasp, Label* label)
+MacroAssembler::branchTestObjClass(Condition cond, Register obj, const Address& clasp,
+                                   Register scratch, Register spectreRegToZero, Label* label)
 {
+    MOZ_ASSERT(obj != scratch);
+    MOZ_ASSERT(scratch != spectreRegToZero);
+
+    loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
+    loadPtr(Address(scratch, ObjectGroup::offsetOfClasp()), scratch);
+    branchPtr(cond, clasp, scratch, label);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        spectreZeroRegister(cond, scratch, spectreRegToZero);
+}
+
+void
+MacroAssembler::branchTestObjClassNoSpectreMitigations(Condition cond, Register obj,
+                                                       const Address& clasp, Register scratch,
+                                                       Label* label)
+{
+    MOZ_ASSERT(obj != scratch);
     loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
     loadPtr(Address(scratch, ObjectGroup::offsetOfClasp()), scratch);
     branchPtr(cond, clasp, scratch, label);
 }
 
 void
-MacroAssembler::branchTestObjShape(Condition cond, Register obj, const Shape* shape, Label* label)
+MacroAssembler::branchTestObjShape(Condition cond, Register obj, const Shape* shape, Register scratch,
+                                   Register spectreRegToZero, Label* label)
+{
+    MOZ_ASSERT(obj != scratch);
+    MOZ_ASSERT(spectreRegToZero != scratch);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        move32(Imm32(0), scratch);
+
+    branchPtr(cond, Address(obj, ShapedObject::offsetOfShape()), ImmGCPtr(shape), label);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        spectreMovePtr(cond, scratch, spectreRegToZero);
+}
+
+void
+MacroAssembler::branchTestObjShapeNoSpectreMitigations(Condition cond, Register obj,
+                                                       const Shape* shape, Label* label)
 {
     branchPtr(cond, Address(obj, ShapedObject::offsetOfShape()), ImmGCPtr(shape), label);
 }
 
 void
-MacroAssembler::branchTestObjShape(Condition cond, Register obj, Register shape, Label* label)
+MacroAssembler::branchTestObjShape(Condition cond, Register obj, Register shape, Register scratch,
+                                   Register spectreRegToZero, Label* label)
+{
+    MOZ_ASSERT(obj != scratch);
+    MOZ_ASSERT(obj != shape);
+    MOZ_ASSERT(spectreRegToZero != scratch);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        move32(Imm32(0), scratch);
+
+    branchPtr(cond, Address(obj, ShapedObject::offsetOfShape()), shape, label);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        spectreMovePtr(cond, scratch, spectreRegToZero);
+}
+
+void
+MacroAssembler::branchTestObjShapeNoSpectreMitigations(Condition cond, Register obj, Register shape,
+                                                       Label* label)
 {
     branchPtr(cond, Address(obj, ShapedObject::offsetOfShape()), shape, label);
 }
 
 void
+MacroAssembler::branchTestObjShapeUnsafe(Condition cond, Register obj, Register shape,
+                                         Label* label)
+{
+    branchTestObjShapeNoSpectreMitigations(cond, obj, shape, label);
+}
+
+void
 MacroAssembler::branchTestObjGroup(Condition cond, Register obj, const ObjectGroup* group,
-                                   Label* label)
+                                   Register scratch, Register spectreRegToZero, Label* label)
+{
+    MOZ_ASSERT(obj != scratch);
+    MOZ_ASSERT(spectreRegToZero != scratch);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        move32(Imm32(0), scratch);
+
+    branchPtr(cond, Address(obj, JSObject::offsetOfGroup()), ImmGCPtr(group), label);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        spectreMovePtr(cond, scratch, spectreRegToZero);
+}
+
+void
+MacroAssembler::branchTestObjGroupNoSpectreMitigations(Condition cond, Register obj,
+                                                       const ObjectGroup* group, Label* label)
 {
     branchPtr(cond, Address(obj, JSObject::offsetOfGroup()), ImmGCPtr(group), label);
 }
 
 void
-MacroAssembler::branchTestObjGroup(Condition cond, Register obj, Register group, Label* label)
+MacroAssembler::branchTestObjGroupUnsafe(Condition cond, Register obj, const ObjectGroup* group,
+                                         Label* label)
+{
+    branchTestObjGroupNoSpectreMitigations(cond, obj, group, label);
+}
+
+void
+MacroAssembler::branchTestObjGroup(Condition cond, Register obj, Register group, Register scratch,
+                                   Register spectreRegToZero, Label* label)
 {
+    MOZ_ASSERT(obj != scratch);
+    MOZ_ASSERT(obj != group);
+    MOZ_ASSERT(spectreRegToZero != scratch);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        move32(Imm32(0), scratch);
+
+    branchPtr(cond, Address(obj, JSObject::offsetOfGroup()), group, label);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        spectreMovePtr(cond, scratch, spectreRegToZero);
+}
+
+void
+MacroAssembler::branchTestObjGroupNoSpectreMitigations(Condition cond, Register obj, Register group,
+                                                       Label* label)
+{
+    MOZ_ASSERT(obj != group);
     branchPtr(cond, Address(obj, JSObject::offsetOfGroup()), group, label);
 }
 
 void
 MacroAssembler::branchTestClassIsProxy(bool proxy, Register clasp, Label* label)
 {
     branchTest32(proxy ? Assembler::NonZero : Assembler::Zero,
                  Address(clasp, Class::offsetOfFlags()),
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -3196,26 +3196,45 @@ MacroAssembler::branchIfNotInterpretedCo
     branchTest32(Assembler::Zero, scratch, Imm32(bits), label);
 
     // Check if the CONSTRUCTOR bit is set.
     bits = IMM32_16ADJ(JSFunction::CONSTRUCTOR);
     branchTest32(Assembler::Zero, scratch, Imm32(bits), label);
 }
 
 void
-MacroAssembler::branchTestObjGroup(Condition cond, Register obj, const Address& group,
-                                   Register scratch, Label* label)
+MacroAssembler::branchTestObjGroupNoSpectreMitigations(Condition cond, Register obj,
+                                                       const Address& group, Register scratch,
+                                                       Label* label)
 {
     // Note: obj and scratch registers may alias.
+    MOZ_ASSERT(group.base != scratch);
+    MOZ_ASSERT(group.base != obj);
 
     loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
     branchPtr(cond, group, scratch, label);
 }
 
 void
+MacroAssembler::branchTestObjGroup(Condition cond, Register obj, const Address& group,
+                                   Register scratch, Register spectreRegToZero, Label* label)
+{
+    // Note: obj and scratch registers may alias.
+    MOZ_ASSERT(group.base != scratch);
+    MOZ_ASSERT(group.base != obj);
+    MOZ_ASSERT(scratch != spectreRegToZero);
+
+    loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
+    branchPtr(cond, group, scratch, label);
+
+    if (JitOptions.spectreObjectMitigationsMisc)
+        spectreZeroRegister(cond, scratch, spectreRegToZero);
+}
+
+void
 MacroAssembler::branchTestObjCompartment(Condition cond, Register obj, const Address& compartment,
                                          Register scratch, Label* label)
 {
     MOZ_ASSERT(obj != scratch);
     loadPtr(Address(obj, JSObject::offsetOfGroup()), scratch);
     loadPtr(Address(scratch, ObjectGroup::offsetOfCompartment()), scratch);
     branchPtr(cond, compartment, scratch, label);
 }
--- a/js/src/jit/MacroAssembler.h
+++ b/js/src/jit/MacroAssembler.h
@@ -1172,28 +1172,62 @@ class MacroAssembler : public MacroAssem
     inline void branchFunctionKind(Condition cond, JSFunction::FunctionKind kind, Register fun,
                                    Register scratch, Label* label);
 
     void branchIfNotInterpretedConstructor(Register fun, Register scratch, Label* label);
 
     inline void branchIfObjectEmulatesUndefined(Register objReg, Register scratch, Label* slowCheck,
                                                 Label* label);
 
-    inline void branchTestObjClass(Condition cond, Register obj, Register scratch,
-                                   const js::Class* clasp, Label* label);
-    inline void branchTestObjClass(Condition cond, Register obj, Register scratch,
-                                   const Address& clasp, Label* label);
-    inline void branchTestObjShape(Condition cond, Register obj, const Shape* shape, Label* label);
-    inline void branchTestObjShape(Condition cond, Register obj, Register shape, Label* label);
+    // For all methods below: spectreRegToZero is a register that will be zeroed
+    // on speculatively executed code paths (when the branch should be taken but
+    // branch prediction speculates it isn't). Usually this will be the object
+    // register but the caller may pass a different register.
+
+    inline void branchTestObjClass(Condition cond, Register obj, const js::Class* clasp,
+                                   Register scratch, Register spectreRegToZero, Label* label);
+    inline void branchTestObjClassNoSpectreMitigations(Condition cond, Register obj,
+                                                       const js::Class* clasp, Register scratch,
+                                                       Label* label);
+
+    inline void branchTestObjClass(Condition cond, Register obj, const Address& clasp,
+                                   Register scratch, Register spectreRegToZero, Label* label);
+    inline void branchTestObjClassNoSpectreMitigations(Condition cond, Register obj,
+                                                       const Address& clasp, Register scratch,
+                                                       Label* label);
+
+    inline void branchTestObjShape(Condition cond, Register obj, const Shape* shape,
+                                   Register scratch, Register spectreRegToZero, Label* label);
+    inline void branchTestObjShapeNoSpectreMitigations(Condition cond, Register obj,
+                                                       const Shape* shape, Label* label);
+
+    inline void branchTestObjShape(Condition cond, Register obj, Register shape, Register scratch,
+                                   Register spectreRegToZero, Label* label);
+    inline void branchTestObjShapeNoSpectreMitigations(Condition cond, Register obj,
+                                                       Register shape, Label* label);
+
     inline void branchTestObjGroup(Condition cond, Register obj, const ObjectGroup* group,
-                                   Label* label);
-    inline void branchTestObjGroup(Condition cond, Register obj, Register group, Label* label);
+                                   Register scratch, Register spectreRegToZero, Label* label);
+    inline void branchTestObjGroupNoSpectreMitigations(Condition cond, Register obj,
+                                                       const ObjectGroup* group, Label* label);
+
+    inline void branchTestObjGroup(Condition cond, Register obj, Register group, Register scratch,
+                                   Register spectreRegToZero, Label* label);
+    inline void branchTestObjGroupNoSpectreMitigations(Condition cond, Register obj,
+                                                       Register group, Label* label);
 
     void branchTestObjGroup(Condition cond, Register obj, const Address& group, Register scratch,
-                            Label* label);
+                            Register spectreRegToZero, Label* label);
+    void branchTestObjGroupNoSpectreMitigations(Condition cond, Register obj, const Address& group,
+                                                Register scratch, Label* label);
+
+    // TODO: audit/fix callers to be Spectre safe.
+    inline void branchTestObjShapeUnsafe(Condition cond, Register obj, Register shape, Label* label);
+    inline void branchTestObjGroupUnsafe(Condition cond, Register obj, const ObjectGroup* group,
+                                         Label* label);
 
     void branchTestObjCompartment(Condition cond, Register obj, const Address& compartment,
                                   Register scratch, Label* label);
     void branchTestObjCompartment(Condition cond, Register obj, const JSCompartment* compartment,
                                   Register scratch, Label* label);
     void branchIfObjGroupHasNoAddendum(Register obj, Register scratch, Label* label);
     void branchIfPretenuredGroup(const ObjectGroup* group, Register scratch, Label* label);
 
@@ -1390,16 +1424,20 @@ class MacroAssembler : public MacroAssem
     inline void test32MovePtr(Condition cond, const Address& addr, Imm32 mask, Register src,
                               Register dest)
         DEFINED_ON(arm, arm64, mips_shared, x86, x64);
 
     // Conditional move for Spectre mitigations.
     inline void spectreMovePtr(Condition cond, Register src, Register dest)
         DEFINED_ON(arm, arm64, mips_shared, x86, x64);
 
+    // Zeroes dest if the condition is true.
+    inline void spectreZeroRegister(Condition cond, Register scratch, Register dest)
+        DEFINED_ON(arm, arm64, mips_shared, x86_shared);
+
     // Performs a bounds check and zeroes the index register if out-of-bounds
     // (to mitigate Spectre).
     inline void boundsCheck32ForLoad(Register index, Register length, Register scratch,
                                      Label* failure)
         DEFINED_ON(arm, arm64, mips_shared, x86_shared);
     inline void boundsCheck32ForLoad(Register index, const Address& length, Register scratch,
                                      Label* failure)
         DEFINED_ON(arm, arm64, mips_shared, x86_shared);
--- a/js/src/jit/SharedIC.cpp
+++ b/js/src/jit/SharedIC.cpp
@@ -2534,21 +2534,23 @@ ICTypeMonitor_SingleObject::Compiler::ge
 
 bool
 ICTypeMonitor_ObjectGroup::Compiler::generateStubCode(MacroAssembler& masm)
 {
     Label failure;
     masm.branchTestObject(Assembler::NotEqual, R0, &failure);
     MaybeWorkAroundAmdBug(masm);
 
-    // Guard on the object's ObjectGroup.
+    // Guard on the object's ObjectGroup. No Spectre mitigations are needed
+    // here: we're just recording type information for Ion compilation and
+    // it's safe to speculatively return.
     Register obj = masm.extractObject(R0, ExtractTemp0);
     Address expectedGroup(ICStubReg, ICTypeMonitor_ObjectGroup::offsetOfGroup());
-    masm.branchTestObjGroup(Assembler::NotEqual, obj, expectedGroup, R1.scratchReg(),
-                            &failure);
+    masm.branchTestObjGroupNoSpectreMitigations(Assembler::NotEqual, obj, expectedGroup,
+                                                R1.scratchReg(), &failure);
     MaybeWorkAroundAmdBug(masm);
 
     EmitReturnFromIC(masm);
     MaybeWorkAroundAmdBug(masm);
 
     masm.bind(&failure);
     EmitStubGuardFailure(masm);
     return true;
--- a/js/src/jit/arm/MacroAssembler-arm-inl.h
+++ b/js/src/jit/arm/MacroAssembler-arm-inl.h
@@ -2183,16 +2183,22 @@ MacroAssembler::test32MovePtr(Condition 
 
 void
 MacroAssembler::spectreMovePtr(Condition cond, Register src, Register dest)
 {
     ma_mov(src, dest, LeaveCC, cond);
 }
 
 void
+MacroAssembler::spectreZeroRegister(Condition cond, Register, Register dest)
+{
+    ma_mov(Imm32(0), dest, cond);
+}
+
+void
 MacroAssembler::boundsCheck32ForLoad(Register index, Register length, Register scratch,
                                      Label* failure)
 {
     MOZ_ASSERT(index != length);
     MOZ_ASSERT(length != scratch);
     MOZ_ASSERT(index != scratch);
 
     if (JitOptions.spectreIndexMasking)
--- a/js/src/jit/arm64/MacroAssembler-arm64-inl.h
+++ b/js/src/jit/arm64/MacroAssembler-arm64-inl.h
@@ -1862,16 +1862,23 @@ MacroAssembler::test32MovePtr(Condition 
 
 void
 MacroAssembler::spectreMovePtr(Condition cond, Register src, Register dest)
 {
     Csel(ARMRegister(dest, 64), ARMRegister(src, 64), ARMRegister(dest, 64), cond);
 }
 
 void
+MacroAssembler::spectreZeroRegister(Condition cond, Register, Register dest)
+{
+    Csel(ARMRegister(dest, 64), ARMRegister(dest, 64), vixl::xzr,
+         Assembler::InvertCondition(cond));
+}
+
+void
 MacroAssembler::boundsCheck32ForLoad(Register index, Register length, Register scratch,
                                      Label* failure)
 {
     MOZ_ASSERT(index != length);
     MOZ_ASSERT(length != scratch);
     MOZ_ASSERT(index != scratch);
 
     branch32(Assembler::BelowOrEqual, length, index, failure);
--- a/js/src/jit/mips-shared/MacroAssembler-mips-shared-inl.h
+++ b/js/src/jit/mips-shared/MacroAssembler-mips-shared-inl.h
@@ -1032,16 +1032,22 @@ MacroAssembler::boundsCheck32ForLoad(Reg
 }
 
 void
 MacroAssembler::spectreMovePtr(Condition cond, Register src, Register dest)
 {
     MOZ_CRASH();
 }
 
+void
+MacroAssembler::spectreZeroRegister(Condition cond, Register scratch, Register dest)
+{
+    MOZ_CRASH();
+}
+
 // ========================================================================
 // Memory access primitives.
 void
 MacroAssembler::storeFloat32x3(FloatRegister src, const Address& dest)
 {
     MOZ_CRASH("NYI");
 }
 void
--- a/js/src/jit/shared/LIR-shared.h
+++ b/js/src/jit/shared/LIR-shared.h
@@ -6586,27 +6586,30 @@ class LStoreUnboxedPointer : public LIns
     }
     const LAllocation* value() {
         return getOperand(2);
     }
 };
 
 // If necessary, convert an unboxed object in a particular group to its native
 // representation.
-class LConvertUnboxedObjectToNative : public LInstructionHelper<0, 1, 0>
+class LConvertUnboxedObjectToNative : public LInstructionHelper<1, 1, 1>
 {
   public:
     LIR_HEADER(ConvertUnboxedObjectToNative)
 
-    explicit LConvertUnboxedObjectToNative(const LAllocation& object)
+    LConvertUnboxedObjectToNative(const LAllocation& object, const LDefinition& temp)
       : LInstructionHelper(classOpcode)
     {
         setOperand(0, object);
-    }
-
+        setTemp(0, temp);
+    }
+    const LDefinition* temp() {
+        return getTemp(0);
+    }
     MConvertUnboxedObjectToNative* mir() {
         return mir_->toConvertUnboxedObjectToNative();
     }
 };
 
 class LArrayPopShiftV : public LInstructionHelper<BOX_PIECES, 1, 2>
 {
   public:
@@ -7485,45 +7488,22 @@ class LGetPropertyCacheT : public LInstr
     }
     const LDefinition* temp() {
         return getTemp(0);
     }
 };
 
 // Emit code to load a boxed value from an object's slots if its shape matches
 // one of the shapes observed by the baseline IC, else bails out.
-class LGetPropertyPolymorphicV : public LInstructionHelper<BOX_PIECES, 1, 0>
+class LGetPropertyPolymorphicV : public LInstructionHelper<BOX_PIECES, 1, 1>
 {
   public:
     LIR_HEADER(GetPropertyPolymorphicV)
 
-    explicit LGetPropertyPolymorphicV(const LAllocation& obj)
-      : LInstructionHelper(classOpcode)
-    {
-        setOperand(0, obj);
-    }
-    const LAllocation* obj() {
-        return getOperand(0);
-    }
-    const MGetPropertyPolymorphic* mir() const {
-        return mir_->toGetPropertyPolymorphic();
-    }
-    const char* extraName() const {
-        return PropertyNameToExtraName(mir()->name());
-    }
-};
-
-// Emit code to load a typed value from an object's slots if its shape matches
-// one of the shapes observed by the baseline IC, else bails out.
-class LGetPropertyPolymorphicT : public LInstructionHelper<1, 1, 1>
-{
-  public:
-    LIR_HEADER(GetPropertyPolymorphicT)
-
-    LGetPropertyPolymorphicT(const LAllocation& obj, const LDefinition& temp)
+    LGetPropertyPolymorphicV(const LAllocation& obj, const LDefinition& temp)
       : LInstructionHelper(classOpcode)
     {
         setOperand(0, obj);
         setTemp(0, temp);
     }
     const LAllocation* obj() {
         return getOperand(0);
     }
@@ -7533,72 +7513,112 @@ class LGetPropertyPolymorphicT : public 
     const MGetPropertyPolymorphic* mir() const {
         return mir_->toGetPropertyPolymorphic();
     }
     const char* extraName() const {
         return PropertyNameToExtraName(mir()->name());
     }
 };
 
+// Emit code to load a typed value from an object's slots if its shape matches
+// one of the shapes observed by the baseline IC, else bails out.
+class LGetPropertyPolymorphicT : public LInstructionHelper<1, 1, 2>
+{
+  public:
+    LIR_HEADER(GetPropertyPolymorphicT)
+
+    LGetPropertyPolymorphicT(const LAllocation& obj, const LDefinition& temp1,
+                             const LDefinition& temp2)
+      : LInstructionHelper(classOpcode)
+    {
+        setOperand(0, obj);
+        setTemp(0, temp1);
+        setTemp(1, temp2);
+    }
+    const LAllocation* obj() {
+        return getOperand(0);
+    }
+    const LDefinition* temp1() {
+        return getTemp(0);
+    }
+    const LDefinition* temp2() {
+        return getTemp(1);
+    }
+    const MGetPropertyPolymorphic* mir() const {
+        return mir_->toGetPropertyPolymorphic();
+    }
+    const char* extraName() const {
+        return PropertyNameToExtraName(mir()->name());
+    }
+};
+
 // Emit code to store a boxed value to an object's slots if its shape matches
 // one of the shapes observed by the baseline IC, else bails out.
-class LSetPropertyPolymorphicV : public LInstructionHelper<0, 1 + BOX_PIECES, 1>
+class LSetPropertyPolymorphicV : public LInstructionHelper<0, 1 + BOX_PIECES, 2>
 {
   public:
     LIR_HEADER(SetPropertyPolymorphicV)
 
     LSetPropertyPolymorphicV(const LAllocation& obj, const LBoxAllocation& value,
-                             const LDefinition& temp)
+                             const LDefinition& temp1, const LDefinition& temp2)
       : LInstructionHelper(classOpcode)
     {
         setOperand(0, obj);
         setBoxOperand(Value, value);
-        setTemp(0, temp);
+        setTemp(0, temp1);
+        setTemp(1, temp2);
     }
 
     static const size_t Value = 1;
 
     const LAllocation* obj() {
         return getOperand(0);
     }
-    const LDefinition* temp() {
-        return getTemp(0);
+    const LDefinition* temp1() {
+        return getTemp(0);
+    }
+    const LDefinition* temp2() {
+        return getTemp(1);
     }
     const MSetPropertyPolymorphic* mir() const {
         return mir_->toSetPropertyPolymorphic();
     }
 };
 
 // Emit code to store a typed value to an object's slots if its shape matches
 // one of the shapes observed by the baseline IC, else bails out.
-class LSetPropertyPolymorphicT : public LInstructionHelper<0, 2, 1>
+class LSetPropertyPolymorphicT : public LInstructionHelper<0, 2, 2>
 {
     MIRType valueType_;
 
   public:
     LIR_HEADER(SetPropertyPolymorphicT)
 
     LSetPropertyPolymorphicT(const LAllocation& obj, const LAllocation& value, MIRType valueType,
-                             const LDefinition& temp)
+                             const LDefinition& temp1, const LDefinition& temp2)
       : LInstructionHelper(classOpcode),
         valueType_(valueType)
     {
         setOperand(0, obj);
         setOperand(1, value);
-        setTemp(0, temp);
+        setTemp(0, temp1);
+        setTemp(1, temp2);
     }
 
     const LAllocation* obj() {
         return getOperand(0);
     }
     const LAllocation* value() {
         return getOperand(1);
     }
-    const LDefinition* temp() {
-        return getTemp(0);
+    const LDefinition* temp1() {
+        return getTemp(0);
+    }
+    const LDefinition* temp2() {
+        return getTemp(1);
     }
     MIRType valueType() const {
         return valueType_;
     }
     const MSetPropertyPolymorphic* mir() const {
         return mir_->toSetPropertyPolymorphic();
     }
     const char* extraName() const {
@@ -8381,32 +8401,37 @@ class LRest : public LCallInstructionHel
     const LAllocation* numActuals() {
         return getOperand(0);
     }
     MRest* mir() const {
         return mir_->toRest();
     }
 };
 
-class LGuardReceiverPolymorphic : public LInstructionHelper<0, 1, 1>
+class LGuardReceiverPolymorphic : public LInstructionHelper<1, 1, 2>
 {
   public:
     LIR_HEADER(GuardReceiverPolymorphic)
 
-    LGuardReceiverPolymorphic(const LAllocation& in, const LDefinition& temp)
+    LGuardReceiverPolymorphic(const LAllocation& in, const LDefinition& temp1,
+                              const LDefinition& temp2)
       : LInstructionHelper(classOpcode)
     {
         setOperand(0, in);
-        setTemp(0, temp);
+        setTemp(0, temp1);
+        setTemp(1, temp2);
     }
     const LAllocation* object() {
         return getOperand(0);
     }
-    const LDefinition* temp() {
-        return getTemp(0);
+    const LDefinition* temp1() {
+        return getTemp(0);
+    }
+    const LDefinition* temp2() {
+        return getTemp(1);
     }
     const MGuardReceiverPolymorphic* mir() const {
         return mir_->toGuardReceiverPolymorphic();
     }
 };
 
 class LGuardUnboxedExpando : public LInstructionHelper<0, 1, 0>
 {
@@ -8711,63 +8736,51 @@ class LGuardObjectIdentity : public LIns
     const LAllocation* expected() {
         return getOperand(1);
     }
     const MGuardObjectIdentity* mir() const {
         return mir_->toGuardObjectIdentity();
     }
 };
 
-class LGuardShape : public LInstructionHelper<0, 1, 0>
+class LGuardShape : public LInstructionHelper<1, 1, 1>
 {
   public:
     LIR_HEADER(GuardShape)
 
-    explicit LGuardShape(const LAllocation& in)
-      : LInstructionHelper(classOpcode)
-    {
-        setOperand(0, in);
-    }
-    const MGuardShape* mir() const {
-        return mir_->toGuardShape();
-    }
-};
-
-class LGuardObjectGroup : public LInstructionHelper<0, 1, 0>
-{
-  public:
-    LIR_HEADER(GuardObjectGroup)
-
-    explicit LGuardObjectGroup(const LAllocation& in)
-      : LInstructionHelper(classOpcode)
-    {
-        setOperand(0, in);
-    }
-    const MGuardObjectGroup* mir() const {
-        return mir_->toGuardObjectGroup();
-    }
-};
-
-// Guard against an object's class.
-class LGuardClass : public LInstructionHelper<0, 1, 1>
-{
-  public:
-    LIR_HEADER(GuardClass)
-
-    LGuardClass(const LAllocation& in, const LDefinition& temp)
+    LGuardShape(const LAllocation& in, const LDefinition& temp)
       : LInstructionHelper(classOpcode)
     {
         setOperand(0, in);
         setTemp(0, temp);
     }
-    const MGuardClass* mir() const {
-        return mir_->toGuardClass();
-    }
-    const LDefinition* tempInt() {
-        return getTemp(0);
+    const LDefinition* temp() {
+        return getTemp(0);
+    }
+    const MGuardShape* mir() const {
+        return mir_->toGuardShape();
+    }
+};
+
+class LGuardObjectGroup : public LInstructionHelper<1, 1, 1>
+{
+  public:
+    LIR_HEADER(GuardObjectGroup)
+
+    LGuardObjectGroup(const LAllocation& in, const LDefinition& temp)
+      : LInstructionHelper(classOpcode)
+    {
+        setOperand(0, in);
+        setTemp(0, temp);
+    }
+    const LDefinition* temp() {
+        return getTemp(0);
+    }
+    const MGuardObjectGroup* mir() const {
+        return mir_->toGuardObjectGroup();
     }
 };
 
 // Guard against the sharedness of a TypedArray's memory.
 class LGuardSharedTypedArray : public LInstructionHelper<0, 1, 1>
 {
   public:
     LIR_HEADER(GuardSharedTypedArray)
--- a/js/src/jit/shared/LOpcodes-shared.h
+++ b/js/src/jit/shared/LOpcodes-shared.h
@@ -260,17 +260,16 @@
     _(LoadSlotV)                    \
     _(LoadSlotT)                    \
     _(StoreSlotV)                   \
     _(StoreSlotT)                   \
     _(GuardShape)                   \
     _(GuardReceiverPolymorphic)     \
     _(GuardObjectGroup)             \
     _(GuardObjectIdentity)          \
-    _(GuardClass)                   \
     _(GuardUnboxedExpando)          \
     _(LoadUnboxedExpando)           \
     _(TypeBarrierV)                 \
     _(TypeBarrierO)                 \
     _(PostWriteBarrierO)            \
     _(PostWriteBarrierS)            \
     _(PostWriteBarrierV)            \
     _(PostWriteElementBarrierO)     \
--- a/js/src/jit/x86-shared/MacroAssembler-x86-shared-inl.h
+++ b/js/src/jit/x86-shared/MacroAssembler-x86-shared-inl.h
@@ -1106,16 +1106,24 @@ void
 MacroAssembler::cmp32Move32(Condition cond, Register lhs, const Address& rhs, Register src,
                             Register dest)
 {
     cmp32(lhs, Operand(rhs));
     cmovCCl(cond, src, dest);
 }
 
 void
+MacroAssembler::spectreZeroRegister(Condition cond, Register scratch, Register dest)
+{
+    // Note: use movl instead of move32/xorl to ensure flags are not clobbered.
+    movl(Imm32(0), scratch);
+    spectreMovePtr(cond, scratch, dest);
+}
+
+void
 MacroAssembler::boundsCheck32ForLoad(Register index, Register length, Register scratch,
                                      Label* failure)
 {
     MOZ_ASSERT(index != length);
     MOZ_ASSERT(length != scratch);
     MOZ_ASSERT(index != scratch);
 
     if (JitOptions.spectreIndexMasking)
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -7276,16 +7276,19 @@ JS_SetGlobalJitCompilerOption(JSContext*
         jit::JitOptions.simulatorAlwaysInterrupt = !!value;
         break;
       case JSJITCOMPILER_SPECTRE_INDEX_MASKING:
         jit::JitOptions.spectreIndexMasking = !!value;
         break;
       case JSJITCOMPILER_SPECTRE_OBJECT_MITIGATIONS_BARRIERS:
         jit::JitOptions.spectreObjectMitigationsBarriers = !!value;
         break;
+      case JSJITCOMPILER_SPECTRE_OBJECT_MITIGATIONS_MISC:
+        jit::JitOptions.spectreObjectMitigationsMisc = !!value;
+        break;
       case JSJITCOMPILER_SPECTRE_STRING_MITIGATIONS:
         jit::JitOptions.spectreStringMitigations = !!value;
         break;
       case JSJITCOMPILER_SPECTRE_VALUE_MASKING:
         jit::JitOptions.spectreValueMasking = !!value;
         break;
       case JSJITCOMPILER_SPECTRE_JIT_TO_CXX_CALLS:
         jit::JitOptions.spectreJitToCxxCalls = !!value;
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@@ -5887,16 +5887,17 @@ JS_SetOffthreadIonCompilationEnabled(JSC
     Register(ION_CHECK_RANGE_ANALYSIS, "ion.check-range-analysis")          \
     Register(BASELINE_ENABLE, "baseline.enable")                            \
     Register(OFFTHREAD_COMPILATION_ENABLE, "offthread-compilation.enable")  \
     Register(FULL_DEBUG_CHECKS, "jit.full-debug-checks")                    \
     Register(JUMP_THRESHOLD, "jump-threshold")                              \
     Register(SIMULATOR_ALWAYS_INTERRUPT, "simulator.always-interrupt")      \
     Register(SPECTRE_INDEX_MASKING, "spectre.index-masking")                \
     Register(SPECTRE_OBJECT_MITIGATIONS_BARRIERS, "spectre.object-mitigations.barriers") \
+    Register(SPECTRE_OBJECT_MITIGATIONS_MISC, "spectre.object-mitigations.misc") \
     Register(SPECTRE_STRING_MITIGATIONS, "spectre.string-mitigations")      \
     Register(SPECTRE_VALUE_MASKING, "spectre.value-masking")                \
     Register(SPECTRE_JIT_TO_CXX_CALLS, "spectre.jit-to-C++-calls")          \
     Register(ASMJS_ATOMICS_ENABLE, "asmjs.atomics.enable")                  \
     Register(WASM_FOLD_OFFSETS, "wasm.fold-offsets")                        \
     Register(WASM_DELAY_TIER2, "wasm.delay-tier2")
 
 typedef enum JSJitCompilerOption {
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -8594,22 +8594,24 @@ SetContextOptions(JSContext* cx, const O
         else
             return OptionFailure("cache-ir-stubs", str);
     }
 
     if (const char* str = op.getStringOption("spectre-mitigations")) {
         if (strcmp(str, "on") == 0) {
             jit::JitOptions.spectreIndexMasking = true;
             jit::JitOptions.spectreObjectMitigationsBarriers = true;
+            jit::JitOptions.spectreObjectMitigationsMisc = true;
             jit::JitOptions.spectreStringMitigations = true;
             jit::JitOptions.spectreValueMasking = true;
             jit::JitOptions.spectreJitToCxxCalls = true;
         } else if (strcmp(str, "off") == 0) {
             jit::JitOptions.spectreIndexMasking = false;
             jit::JitOptions.spectreObjectMitigationsBarriers = false;
+            jit::JitOptions.spectreObjectMitigationsMisc = false;
             jit::JitOptions.spectreStringMitigations = false;
             jit::JitOptions.spectreValueMasking = false;
             jit::JitOptions.spectreJitToCxxCalls = false;
         } else {
             return OptionFailure("spectre-mitigations", str);
         }
     }
 
--- a/js/src/vm/UnboxedObject.cpp
+++ b/js/src/vm/UnboxedObject.cpp
@@ -533,38 +533,43 @@ UnboxedLayout::makeNativeGroup(JSContext
 
     nativeGroup->setOriginalUnboxedGroup(group);
 
     group->markStateChange(cx);
 
     return true;
 }
 
-/* static */ bool
+/* static */ NativeObject*
 UnboxedPlainObject::convertToNative(JSContext* cx, JSObject* obj)
 {
+    // This function returns the original object (instead of bool) to make sure
+    // Ion's LConvertUnboxedObjectToNative works correctly. If we return bool
+    // and use defineReuseInput, the object register is not preserved across the
+    // call.
+
     const UnboxedLayout& layout = obj->as<UnboxedPlainObject>().layout();
     UnboxedExpandoObject* expando = obj->as<UnboxedPlainObject>().maybeExpando();
 
     if (!layout.nativeGroup()) {
         if (!UnboxedLayout::makeNativeGroup(cx, obj->group()))
-            return false;
+            return nullptr;
 
         // makeNativeGroup can reentrantly invoke this method.
         if (obj->is<PlainObject>())
-            return true;
+            return &obj->as<PlainObject>();
     }
 
     AutoValueVector values(cx);
     for (size_t i = 0; i < layout.properties().length(); i++) {
         // We might be reading properties off the object which have not been
         // initialized yet. Make sure any double values we read here are
         // canonicalized.
         if (!values.append(obj->as<UnboxedPlainObject>().getValue(layout.properties()[i], true)))
-            return false;
+            return nullptr;
     }
 
     // We are eliminating the expando edge with the conversion, so trigger a
     // pre barrier.
     JSObject::writeBarrierPre(expando);
 
     // Additionally trigger a post barrier on the expando itself. Whole cell
     // store buffer entries can be added on the original unboxed object for
@@ -574,52 +579,53 @@ UnboxedPlainObject::convertToNative(JSCo
         cx->zone()->group()->storeBuffer().putWholeCell(expando);
 
     obj->setGroup(layout.nativeGroup());
     obj->as<PlainObject>().setLastPropertyMakeNative(cx, layout.nativeShape());
 
     for (size_t i = 0; i < values.length(); i++)
         obj->as<PlainObject>().initSlotUnchecked(i, values[i]);
 
-    if (expando) {
-        // Add properties from the expando object to the object, in order.
-        // Suppress GC here, so that callers don't need to worry about this
-        // method collecting. The stuff below can only fail due to OOM, in
-        // which case the object will not have been completely filled back in.
-        gc::AutoSuppressGC suppress(cx);
+    if (!expando)
+        return &obj->as<PlainObject>();
+
+    // Add properties from the expando object to the object, in order.
+    // Suppress GC here, so that callers don't need to worry about this
+    // method collecting. The stuff below can only fail due to OOM, in
+    // which case the object will not have been completely filled back in.
+    gc::AutoSuppressGC suppress(cx);
 
-        Vector<jsid> ids(cx);
-        for (Shape::Range<NoGC> r(expando->lastProperty()); !r.empty(); r.popFront()) {
-            if (!ids.append(r.front().propid()))
-                return false;
-        }
-        for (size_t i = 0; i < expando->getDenseInitializedLength(); i++) {
-            if (!expando->getDenseElement(i).isMagic(JS_ELEMENTS_HOLE)) {
-                if (!ids.append(INT_TO_JSID(i)))
-                    return false;
-            }
-        }
-        ::Reverse(ids.begin(), ids.end());
-
-        RootedPlainObject nobj(cx, &obj->as<PlainObject>());
-        Rooted<UnboxedExpandoObject*> nexpando(cx, expando);
-        RootedId id(cx);
-        Rooted<PropertyDescriptor> desc(cx);
-        for (size_t i = 0; i < ids.length(); i++) {
-            id = ids[i];
-            if (!GetOwnPropertyDescriptor(cx, nexpando, id, &desc))
-                return false;
-            ObjectOpResult result;
-            if (!DefineProperty(cx, nobj, id, desc, result))
-                return false;
-            MOZ_ASSERT(result.ok());
+    Vector<jsid> ids(cx);
+    for (Shape::Range<NoGC> r(expando->lastProperty()); !r.empty(); r.popFront()) {
+        if (!ids.append(r.front().propid()))
+            return nullptr;
+    }
+    for (size_t i = 0; i < expando->getDenseInitializedLength(); i++) {
+        if (!expando->getDenseElement(i).isMagic(JS_ELEMENTS_HOLE)) {
+            if (!ids.append(INT_TO_JSID(i)))
+                return nullptr;
         }
     }
+    ::Reverse(ids.begin(), ids.end());
 
-    return true;
+    RootedPlainObject nobj(cx, &obj->as<PlainObject>());
+    Rooted<UnboxedExpandoObject*> nexpando(cx, expando);
+    RootedId id(cx);
+    Rooted<PropertyDescriptor> desc(cx);
+    for (size_t i = 0; i < ids.length(); i++) {
+        id = ids[i];
+        if (!GetOwnPropertyDescriptor(cx, nexpando, id, &desc))
+            return nullptr;
+        ObjectOpResult result;
+        if (!DefineProperty(cx, nobj, id, desc, result))
+            return nullptr;
+        MOZ_ASSERT(result.ok());
+    }
+
+    return nobj;
 }
 
 /* static */ JS::Result<UnboxedObject*, JS::OOM&>
 UnboxedObject::createInternal(JSContext* cx, js::gc::AllocKind kind, js::gc::InitialHeap heap,
                               js::HandleObjectGroup group)
 {
     const js::Class* clasp = group->clasp();
     MOZ_ASSERT(clasp == &UnboxedPlainObject::class_);
--- a/js/src/vm/UnboxedObject.h
+++ b/js/src/vm/UnboxedObject.h
@@ -292,17 +292,17 @@ class UnboxedPlainObject : public Unboxe
 
     bool containsUnboxedOrExpandoProperty(JSContext* cx, jsid id) const;
 
     static UnboxedExpandoObject* ensureExpando(JSContext* cx, Handle<UnboxedPlainObject*> obj);
 
     bool setValue(JSContext* cx, const UnboxedLayout::Property& property, const Value& v);
     Value getValue(const UnboxedLayout::Property& property, bool maybeUninitialized = false);
 
-    static bool convertToNative(JSContext* cx, JSObject* obj);
+    static NativeObject* convertToNative(JSContext* cx, JSObject* obj);
     static UnboxedPlainObject* create(JSContext* cx, HandleObjectGroup group,
                                       NewObjectKind newKind);
     static JSObject* createWithProperties(JSContext* cx, HandleObjectGroup group,
                                           NewObjectKind newKind, IdValuePair* properties);
 
     void fillAfterConvert(JSContext* cx,
                           Handle<GCVector<Value>> values, size_t* valueCursor);
 
--- a/js/xpconnect/src/XPCJSContext.cpp
+++ b/js/xpconnect/src/XPCJSContext.cpp
@@ -805,16 +805,18 @@ ReloadPrefsCallback(const char* pref, vo
 
     bool extraWarnings = Preferences::GetBool(JS_OPTIONS_DOT_STR "strict");
 
     bool streams = Preferences::GetBool(JS_OPTIONS_DOT_STR "streams");
 
     bool spectreIndexMasking = Preferences::GetBool(JS_OPTIONS_DOT_STR "spectre.index_masking");
     bool spectreObjectMitigationsBarriers =
         Preferences::GetBool(JS_OPTIONS_DOT_STR "spectre.object_mitigations.barriers");
+    bool spectreObjectMitigationsMisc =
+        Preferences::GetBool(JS_OPTIONS_DOT_STR "spectre.object_mitigations.misc");
     bool spectreStringMitigations =
         Preferences::GetBool(JS_OPTIONS_DOT_STR "spectre.string_mitigations");
     bool spectreValueMasking = Preferences::GetBool(JS_OPTIONS_DOT_STR "spectre.value_masking");
     bool spectreJitToCxxCalls = Preferences::GetBool(JS_OPTIONS_DOT_STR "spectre.jit_to_C++_calls");
 
     sSharedMemoryEnabled = Preferences::GetBool(JS_OPTIONS_DOT_STR "shared_memory");
 
 #ifdef DEBUG
@@ -873,16 +875,18 @@ ReloadPrefsCallback(const char* pref, vo
                                   useIonEager ? 0 : ionThreshold);
 #ifdef DEBUG
     JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_FULL_DEBUG_CHECKS, fullJitDebugChecks);
 #endif
 
     JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_SPECTRE_INDEX_MASKING, spectreIndexMasking);
     JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_SPECTRE_OBJECT_MITIGATIONS_BARRIERS,
                                   spectreObjectMitigationsBarriers);
+    JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_SPECTRE_OBJECT_MITIGATIONS_MISC,
+                                  spectreObjectMitigationsMisc);
     JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_SPECTRE_STRING_MITIGATIONS,
                                   spectreStringMitigations);
     JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_SPECTRE_VALUE_MASKING, spectreValueMasking);
     JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_SPECTRE_JIT_TO_CXX_CALLS,
                                   spectreJitToCxxCalls);
 }
 
 XPCJSContext::~XPCJSContext()
--- a/layout/svg/SVGContextPaint.h
+++ b/layout/svg/SVGContextPaint.h
@@ -46,16 +46,17 @@ namespace mozilla {
  * duration of a function call.
  * XXX Note: SVGImageContext doesn't actually have a SVGContextPaint member yet,
  * but it will in a later patch in the patch series that added this comment.
  */
 class SVGContextPaint : public RefCounted<SVGContextPaint>
 {
 protected:
   typedef mozilla::gfx::DrawTarget DrawTarget;
+  typedef mozilla::gfx::Float Float;
   typedef mozilla::image::imgDrawingParams imgDrawingParams;
 
   SVGContextPaint()
     : mDashOffset(0.0f)
     , mStrokeWidth(0.0f)
   {}
 
 public:
@@ -91,25 +92,25 @@ public:
 
   static SVGContextPaint* GetContextPaint(nsIContent* aContent);
 
   // XXX This gets the geometry params from the gfxContext.  We should get that
   // information from the actual paint context!
   void InitStrokeGeometry(gfxContext *aContext,
                           float devUnitsPerSVGUnit);
 
-  const FallibleTArray<gfxFloat>& GetStrokeDashArray() const {
+  const FallibleTArray<Float>& GetStrokeDashArray() const {
     return mDashes;
   }
 
-  gfxFloat GetStrokeDashOffset() const {
+  Float GetStrokeDashOffset() const {
     return mDashOffset;
   }
 
-  gfxFloat GetStrokeWidth() const {
+  Float GetStrokeWidth() const {
     return mStrokeWidth;
   }
 
   virtual uint32_t Hash() const {
     MOZ_ASSERT_UNREACHABLE("Only VectorImage needs to hash, and that should "
                            "only be operating on our SVGEmbeddingContextPaint "
                            "subclass");
     return 0;
@@ -118,19 +119,19 @@ public:
   /**
    * Returns true if image context paint is allowed to be used in an image that
    * has the given URI, else returns false.
    */
   static bool IsAllowedForImageFromURI(nsIURI* aURI);
 
 private:
   // Member-vars are initialized in InitStrokeGeometry.
-  FallibleTArray<gfxFloat> mDashes;
-  MOZ_INIT_OUTSIDE_CTOR gfxFloat mDashOffset;
-  MOZ_INIT_OUTSIDE_CTOR gfxFloat mStrokeWidth;
+  FallibleTArray<Float> mDashes;
+  MOZ_INIT_OUTSIDE_CTOR Float mDashOffset;
+  MOZ_INIT_OUTSIDE_CTOR Float mStrokeWidth;
 };
 
 /**
  * RAII class used to temporarily set and remove an SVGContextPaint while a
  * piece of SVG is being painted.  The context paint is set on the SVG's owner
  * document, as expected by SVGContextPaint::GetContextPaint.  Any pre-existing
  * context paint is restored after this class removes the context paint that it
  * set.
--- a/layout/svg/nsSVGUtils.cpp
+++ b/layout/svg/nsSVGUtils.cpp
@@ -1682,120 +1682,36 @@ nsSVGUtils::GetStrokeWidth(nsIFrame* aFr
     content = content->GetParent();
   }
 
   nsSVGElement *ctx = static_cast<nsSVGElement*>(content);
 
   return SVGContentUtils::CoordToFloat(ctx, style->mStrokeWidth);
 }
 
-static bool
-GetStrokeDashData(nsIFrame* aFrame,
-                  nsTArray<gfxFloat>& aDashes,
-                  gfxFloat* aDashOffset,
-                  SVGContextPaint* aContextPaint)
-{
-  const nsStyleSVG* style = aFrame->StyleSVG();
-  nsIContent *content = aFrame->GetContent();
-  nsSVGElement *ctx = static_cast<nsSVGElement*>
-    (content->IsNodeOfType(nsINode::eTEXT) ?
-     content->GetParent() : content);
-
-  gfxFloat totalLength = 0.0;
-  if (aContextPaint && style->StrokeDasharrayFromObject()) {
-    aDashes = aContextPaint->GetStrokeDashArray();
-
-    for (uint32_t i = 0; i < aDashes.Length(); i++) {
-      if (aDashes[i] < 0.0) {
-        return false;
-      }
-      totalLength += aDashes[i];
-    }
-
-  } else {
-    uint32_t count = style->mStrokeDasharray.Length();
-    if (!count || !aDashes.SetLength(count, fallible)) {
-      return false;
-    }
-
-    gfxFloat pathScale = 1.0;
-
-    if (content->IsSVGElement(nsGkAtoms::path)) {
-      pathScale = static_cast<SVGPathElement*>(content)->
-        GetPathLengthScale(SVGPathElement::eForStroking);
-      if (pathScale <= 0) {
-        return false;
-      }
-    }
-
-    const nsTArray<nsStyleCoord>& dasharray = style->mStrokeDasharray;
-
-    for (uint32_t i = 0; i < count; i++) {
-      aDashes[i] = SVGContentUtils::CoordToFloat(ctx,
-                                                 dasharray[i]) * pathScale;
-      if (aDashes[i] < 0.0) {
-        return false;
-      }
-      totalLength += aDashes[i];
-    }
-  }
-
-  if (aContextPaint && style->StrokeDashoffsetFromObject()) {
-    *aDashOffset = aContextPaint->GetStrokeDashOffset();
-  } else {
-    *aDashOffset = SVGContentUtils::CoordToFloat(ctx,
-                                                 style->mStrokeDashoffset);
-  }
-
-  return (totalLength > 0.0);
-}
-
 void
 nsSVGUtils::SetupStrokeGeometry(nsIFrame* aFrame,
                                 gfxContext *aContext,
                                 SVGContextPaint* aContextPaint)
 {
-  float width = GetStrokeWidth(aFrame, aContextPaint);
-  if (width <= 0)
-    return;
-  aContext->SetLineWidth(width);
-
-  const nsStyleSVG* style = aFrame->StyleSVG();
+  SVGContentUtils::AutoStrokeOptions strokeOptions;
+  SVGContentUtils::GetStrokeOptions(
+    &strokeOptions, static_cast<nsSVGElement*>(aFrame->GetContent()),
+    aFrame->StyleContext(), aContextPaint);
 
-  switch (style->mStrokeLinecap) {
-  case NS_STYLE_STROKE_LINECAP_BUTT:
-    aContext->SetLineCap(CapStyle::BUTT);
-    break;
-  case NS_STYLE_STROKE_LINECAP_ROUND:
-    aContext->SetLineCap(CapStyle::ROUND);
-    break;
-  case NS_STYLE_STROKE_LINECAP_SQUARE:
-    aContext->SetLineCap(CapStyle::SQUARE);
-    break;
+  if (strokeOptions.mLineWidth <= 0) {
+    return;
   }
 
-  aContext->SetMiterLimit(style->mStrokeMiterlimit);
-
-  switch (style->mStrokeLinejoin) {
-  case NS_STYLE_STROKE_LINEJOIN_MITER:
-    aContext->SetLineJoin(JoinStyle::MITER_OR_BEVEL);
-    break;
-  case NS_STYLE_STROKE_LINEJOIN_ROUND:
-    aContext->SetLineJoin(JoinStyle::ROUND);
-    break;
-  case NS_STYLE_STROKE_LINEJOIN_BEVEL:
-    aContext->SetLineJoin(JoinStyle::BEVEL);
-    break;
-  }
-
-  AutoTArray<gfxFloat, 10> dashes;
-  gfxFloat dashOffset;
-  if (GetStrokeDashData(aFrame, dashes, &dashOffset, aContextPaint)) {
-    aContext->SetDash(dashes.Elements(), dashes.Length(), dashOffset);
-  }
+  aContext->SetLineWidth(strokeOptions.mLineWidth);
+  aContext->SetLineCap(strokeOptions.mLineCap);
+  aContext->SetMiterLimit(strokeOptions.mMiterLimit);
+  aContext->SetLineJoin(strokeOptions.mLineJoin);
+  aContext->SetDash(strokeOptions.mDashPattern, strokeOptions.mDashLength,
+                    strokeOptions.mDashOffset);
 }
 
 uint16_t
 nsSVGUtils::GetGeometryHitTestFlags(nsIFrame* aFrame)
 {
   uint16_t flags = 0;
 
   switch (aFrame->StyleUserInterface()->mPointerEvents) {
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1562,16 +1562,17 @@ pref("javascript.options.showInConsole",
 pref("javascript.options.shared_memory", false);
 
 pref("javascript.options.throw_on_debuggee_would_run", false);
 pref("javascript.options.dump_stack_on_debuggee_would_run", false);
 
 // Spectre security vulnerability mitigations.
 pref("javascript.options.spectre.index_masking", true);
 pref("javascript.options.spectre.object_mitigations.barriers", true);
+pref("javascript.options.spectre.object_mitigations.misc", false);
 pref("javascript.options.spectre.string_mitigations", true);
 pref("javascript.options.spectre.value_masking", true);
 pref("javascript.options.spectre.jit_to_C++_calls", true);
 
 // Streams API
 pref("javascript.options.streams", false);
 
 // advanced prefs
--- a/security/manager/ssl/StaticHPKPins.h
+++ b/security/manager/ssl/StaticHPKPins.h
@@ -1158,9 +1158,9 @@ static const TransportSecurityPreload kP
   { "za.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "zh.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
 };
 
 // Pinning Preload List Length = 485;
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1529180748258000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1529264935824000);
--- a/security/manager/ssl/nsSTSPreloadList.errors
+++ b/security/manager/ssl/nsSTSPreloadList.errors
@@ -40,17 +40,16 @@ 41844.de: could not connect to host
 439191.com: could not connect to host
 47tech.com: could not connect to host
 4baby.com.br: could not connect to host
 4d2.xyz: could not connect to host
 4host.ch: could not connect to host
 4loc.us: could not connect to host
 4web-hosting.com: could not connect to host
 5000yz.com: could not connect to host
-517vpn.cn: could not connect to host
 52kb1.com: could not connect to host
 52neptune.com: could not connect to host
 5ece.de: could not connect to host
 68277.me: could not connect to host
 692b8c32.de: could not connect to host
 69mentor.com: could not connect to host
 7261696e626f77.net: could not connect to host
 8560.be: could not connect to host
@@ -61,16 +60,17 @@ 88laohu.com: could not connect to host
 8ackprotect.com: could not connect to host
 8ballbombom.uk: could not connect to host
 8t88.biz: could not connect to host
 91-freedom.com: could not connect to host
 99buffets.com: could not connect to host
 a-ix.net: could not connect to host
 aaron.xin: could not connect to host
 abi-fvs.de: could not connect to host
+abigisp.com: could not connect to host
 abilma.com: could not connect to host
 abloop.com: could not connect to host
 abolition.co: could not connect to host
 abstractbarista.com: could not connect to host
 abstractbarista.net: could not connect to host
 ac.milan.it: could not connect to host
 acat.io: could not connect to host
 accolade.com.br: could not connect to host
@@ -97,16 +97,17 @@ affily.io: could not connect to host
 afterstack.net: could not connect to host
 agingstop.net: could not connect to host
 agoravm.tk: could not connect to host
 agowa.eu: could not connect to host
 agowa338.de: could not connect to host
 agrilinks.org: could not connect to host
 ahelos.tk: could not connect to host
 ahlz.sk: could not connect to host
+aibaoyou.com: could not connect to host
 aid-web.ch: could not connect to host
 aikenorganics.com: could not connect to host
 aim-consultants.com: could not connect to host
 airclass.com: could not connect to host
 ajdiaz.me: could not connect to host
 ajetaci.cz: could not connect to host
 akiba-server.info: could not connect to host
 akita-stream.com: could not connect to host
@@ -122,20 +123,20 @@ alexberts.ch: could not connect to host
 alexey-shamara.ru: could not connect to host
 alexmol.tk: could not connect to host
 alexperry.io: could not connect to host
 algarmatic-automatismos.pt: could not connect to host
 alilialili.ga: could not connect to host
 alldm.ru: could not connect to host
 alloutatl.com: could not connect to host
 allscammers.exposed: could not connect to host
-allthingsblogging.com: could not connect to host
 allthingsfpl.com: could not connect to host
 alocato.com: could not connect to host
 alohapartyevents.co.uk: could not connect to host
+alpe-d-or.dyn-o-saur.com: could not connect to host
 alphabrock.cn: could not connect to host
 altahrim.net: could not connect to host
 amdouglas.uk: could not connect to host
 ameho.me: could not connect to host
 americandistribuidora.com: could not connect to host
 amilum.org: could not connect to host
 amua.fr: could not connect to host
 amunoz.org: could not connect to host
@@ -145,17 +146,16 @@ anastasia-shamara.ru: could not connect 
 andreas-kluge.eu: could not connect to host
 andreaskluge.eu: could not connect to host
 andrei-coman.com: could not connect to host
 andrewdaws.co: could not connect to host
 andrewdaws.info: could not connect to host
 andrewdaws.me: could not connect to host
 andrewdaws.tv: could not connect to host
 andrewrdaws.com: could not connect to host
-andromedacenter.com: could not connect to host
 andronika.net: could not connect to host
 anecuni-club.com: could not connect to host
 anecuni-rec.com: could not connect to host
 angrydragonproductions.com: could not connect to host
 animojis.es: could not connect to host
 anitube-nocookie.ch: could not connect to host
 anivar.net: could not connect to host
 annetaan.fi: could not connect to host
@@ -195,37 +195,42 @@ asthon.cn: could not connect to host
 astrath.net: could not connect to host
 astrea-voetbal-groningen.nl: could not connect to host
 asuhe.xyz: could not connect to host
 async.be: could not connect to host
 at1.co: could not connect to host
 athi.pl: could not connect to host
 atigerseye.com: could not connect to host
 atlas-5.site: could not connect to host
+attilagyorffy.com: could not connect to host
 aufmerksamkeitsstudie.com: could not connect to host
 augix.net: could not connect to host
 aur.rocks: could not connect to host
 ausec.ch: could not connect to host
 ausschreibungen-suedtirol.it: could not connect to host
 austinsutphin.com: could not connect to host
 australiancattle.dog: could not connect to host
 authint.com: could not connect to host
 authland.com: could not connect to host
 authsrv.nl.eu.org: could not connect to host
 autosearch.me: could not connect to host
 autostock.me: could not connect to host
 autostop-occasions.be: could not connect to host
 avdelivers.com: could not connect to host
+avernis.de: could not connect to host
 avi9526.pp.ua: could not connect to host
+avmo.pw: could not connect to host
 avonlearningcampus.com: could not connect to host
+avso.pw: could not connect to host
 awan.tech: could not connect to host
 awei.pub: could not connect to host
 awf0.xyz: could not connect to host
 axel-fischer.science: could not connect to host
 b-landia.net: could not connect to host
+b422edu.com: could not connect to host
 b9winner.com: could not connect to host
 babelfisch.eu: could not connect to host
 bacimg.com: could not connect to host
 badbee.cc: could not connect to host
 bailbondsaffordable.com: could not connect to host
 balonmano.co: could not connect to host
 bandally.net: could not connect to host
 bandarifamily.com: could not connect to host
@@ -276,35 +281,33 @@ bigerbio.com: could not connect to host
 billigpoker.dk: could not connect to host
 billpro.com.au: could not connect to host
 binam.center: could not connect to host
 bingcheung.com: could not connect to host
 binimo.com: could not connect to host
 biou.me: could not connect to host
 biovalue.eu: could not connect to host
 bip.gov.sa: could not connect to host
-birthdaytip.com: could not connect to host
+biscoint.io: could not connect to host
 biscuits-rec.com: could not connect to host
 biscuits-shop.com: could not connect to host
-bistrocean.com: could not connect to host
 biswas.me: could not connect to host
 bitcoin-class.com: could not connect to host
 bitcoin-daijin.com: could not connect to host
 bitcoinjpn.com: could not connect to host
 bitmain.com.ua: could not connect to host
 bitmaincare.com.ua: could not connect to host
 bitmaincare.ru: could not connect to host
 bitmessage.ch: could not connect to host
 bityes.org: could not connect to host
 bjgongyi.com: could not connect to host
 bjtxl.cn: could not connect to host
 black-khat.com: could not connect to host
 blackberrycentral.com: could not connect to host
 blackdragoninc.org: could not connect to host
-blackhelicopters.net: could not connect to host
 blackscreen.me: could not connect to host
 blantik.net: could not connect to host
 blazeit.io: could not connect to host
 blessedearth.com.au: could not connect to host
 bliesekow.net: could not connect to host
 blindaryproduction.tk: could not connect to host
 blinkenlight.co.uk: could not connect to host
 blinkenlight.com.au: could not connect to host
@@ -411,16 +414,17 @@ centrolavoro.org: could not connect to h
 cgtx.us: could not connect to host
 challengeskins.com: could not connect to host
 championnat-romand-cuisiniers-amateurs.ch: could not connect to host
 chancat.blog: could not connect to host
 channellife.asia: could not connect to host
 chaouby.com: could not connect to host
 charge.co: could not connect to host
 charmyadesara.com: could not connect to host
+charta-digitale-vernetzung.de: could not connect to host
 cheah.xyz: could not connect to host
 cheesefusion.com: could not connect to host
 chez-janine.de: could not connect to host
 chicorycom.net: could not connect to host
 china-line.org: could not connect to host
 chinternet.xyz: could not connect to host
 chloe.re: could not connect to host
 chocolat-suisse.ch: could not connect to host
@@ -443,30 +447,32 @@ clashersrepublic.com: could not connect 
 clearchatsandbox.com: could not connect to host
 clearviewwealthprojector.com.au: could not connect to host
 clic-music.com: could not connect to host
 clickclock.cc: could not connect to host
 clintonbloodworth.com: could not connect to host
 cloudberlin.goip.de: could not connect to host
 cloudbleed.info: could not connect to host
 cloudimproved.com: could not connect to host
-cloudimprovedtest.com: could not connect to host
 cloudwarez.xyz: could not connect to host
 clownish.co.il: could not connect to host
 clycat.ru: could not connect to host
 cmcc.network: could not connect to host
 cmrss.com: could not connect to host
 cms-weble.jp: could not connect to host
 cmweller.com: could not connect to host
 cnetw.xyz: could not connect to host
 cnlic.com: could not connect to host
 cnwage.com: could not connect to host
 cnwarn.com: could not connect to host
 co-yutaka.com: could not connect to host
 cobaltlp.com: could not connect to host
+coccinellaskitchen.com: could not connect to host
+coccinellaskitchen.de: could not connect to host
+coccinellaskitchen.it: could not connect to host
 codeloop.pw: could not connect to host
 codenlife.xyz: could not connect to host
 codeofhonor.tech: could not connect to host
 codercross.com: could not connect to host
 coderhangout.com: could not connect to host
 codewiz.xyz: could not connect to host
 cogumelosmagicos.org: could not connect to host
 colarelli.ch: could not connect to host
@@ -483,25 +489,27 @@ complt.xyz: could not connect to host
 comprehensiveihc.com: could not connect to host
 conception.sk: could not connect to host
 conniesacademy.com: could not connect to host
 conrad.am: could not connect to host
 constructive.men: could not connect to host
 conve.eu: could not connect to host
 coopens.com: could not connect to host
 corecdn.org: could not connect to host
+corgi.party: could not connect to host
 corinnanese.de: could not connect to host
 correct.horse: could not connect to host
 cosmeticosdelivery.com.br: could not connect to host
 cosmeticosnet.com.br: could not connect to host
 cosmiatria.pe: could not connect to host
 cosplayer.com: could not connect to host
 cotta.dk: could not connect to host
 coumoul.fr: could not connect to host
 cpaneltips.com: could not connect to host
+crackcat.de: could not connect to host
 crackslut.eu: could not connect to host
 crashsec.com: could not connect to host
 credential.eu: could not connect to host
 cristianhares.com: could not connect to host
 criticalaim.com: could not connect to host
 crow.tw: could not connect to host
 crox.co: could not connect to host
 crt2014-2024review.gov: could not connect to host
@@ -522,32 +530,34 @@ cuni-cuni-club.com: could not connect to
 cuni-rec.com: could not connect to host
 cuonic.com: could not connect to host
 curacao-license.com: could not connect to host
 customfilmworks.com: could not connect to host
 customizeyourshower.com: could not connect to host
 customizeyoursink.com: could not connect to host
 cybbh.space: could not connect to host
 cyber-computer.club: could not connect to host
+cyber-perikarp.eu: could not connect to host
 cyberpeace.nl: could not connect to host
+cybersecurity.nz: could not connect to host
 cyberstatus.de: could not connect to host
+cyclehackluxembourgcity.lu: could not connect to host
 cype.dedyn.io: could not connect to host
 cypherpunk.ws: could not connect to host
 czlx.co: could not connect to host
 d-bood.site: could not connect to host
 d3x.pw: could not connect to host
 d4wson.com: could not connect to host
 d8studio.net: could not connect to host
 daltonedwards.me: could not connect to host
 dam74.com.ar: could not connect to host
 damedrogy.cz: could not connect to host
 daniel-stahl.net: could not connect to host
 danpiel.net: could not connect to host
 darkdestiny.ch: could not connect to host
-darlo.co.uk: could not connect to host
 darrienworth.com: could not connect to host
 daryl.moe: could not connect to host
 dashboard.yt: could not connect to host
 data-detox.com: could not connect to host
 datastream.re: could not connect to host
 datorb.com: could not connect to host
 davidgreig.uk: could not connect to host
 davidscherzer.at: could not connect to host
@@ -555,54 +565,53 @@ davidstuff.net: could not connect to hos
 davros.eu: could not connect to host
 davros.ru: could not connect to host
 daw.nz: could not connect to host
 dawnson.is: could not connect to host
 dawnsonb.com: could not connect to host
 day-peak.com: could not connect to host
 days.one: could not connect to host
 dbox.ga: could not connect to host
-dcc.cat: could not connect to host
 dcc.moe: could not connect to host
 dden.website: could not connect to host
 dden.xyz: could not connect to host
 ddmeportal.com: could not connect to host
 de-servers.de: could not connect to host
+deborahmarinelli.eu: could not connect to host
 decoyrouting.com: could not connect to host
 dedietrich-asia.com: could not connect to host
 deepcreampie.com: could not connect to host
 deeps.cat: could not connect to host
 deloittequant.com: could not connect to host
 depedtayo.ph: could not connect to host
 derchris.me: could not connect to host
 derivativeshub.pro: could not connect to host
 dermacarecomplex.com: could not connect to host
 dermapuur.nl: could not connect to host
 designsbykerrialee.co.uk: could not connect to host
 detecte-fuite.ch: could not connect to host
 detecte.ch: could not connect to host
 detectefuite.ch: could not connect to host
 devdesco.com: could not connect to host
 developersclub.website: could not connect to host
+devonsawatzky.ca: could not connect to host
 devops.moe: could not connect to host
 dezintranet.com: could not connect to host
 dhl-smart.ch: could not connect to host
 dhub.xyz: could not connect to host
 dhxxls.com: could not connect to host
 dibiphp.com: could not connect to host
 diceduels.com: could not connect to host
-dicgaming.net: could not connect to host
 dick.red: could not connect to host
 didierlaumen.be: could not connect to host
 die-gruenen-teufel.de: could not connect to host
 diemogebhardt.com: could not connect to host
 dieser.me: could not connect to host
 digihyp.ch: could not connect to host
 digioccumss.ddns.net: could not connect to host
-digitalhurricane.io: could not connect to host
 digitalrxcloud.com: could not connect to host
 digitalsurge.io: could not connect to host
 digitalwasteland.net: could not connect to host
 diguass.us: could not connect to host
 dijks.com: could not connect to host
 dingss.com: could not connect to host
 dinotv.at: could not connect to host
 dinube.com: could not connect to host
@@ -621,16 +630,17 @@ distinctivephotography.com.au: could not
 distrilogservices.com: could not connect to host
 ditch.ch: could not connect to host
 diwei.vip: could not connect to host
 dixmag.com: could not connect to host
 diz.in.ua: could not connect to host
 djul.net: could not connect to host
 dlouwrink.nl: could not connect to host
 dlyl888.com: could not connect to host
+dn3s.me: could not connect to host
 dna.li: could not connect to host
 dnfc.rocks: could not connect to host
 dnmaze.com: could not connect to host
 do-it.cz: could not connect to host
 dobrisan.ro: could not connect to host
 doctafit.com: could not connect to host
 docubox.info: could not connect to host
 doesmycodehavebugs.today: could not connect to host
@@ -720,32 +730,33 @@ eminhuseynov.com: could not connect to h
 emperor.blog: could not connect to host
 empire24.co: could not connect to host
 emrenovation.com: could not connect to host
 endohaus.us: could not connect to host
 endspamwith.us: could not connect to host
 enoou.com: could not connect to host
 enpalmademallorca.info: could not connect to host
 envelope.co.nz: could not connect to host
+epichouse.net: could not connect to host
 er-music.com: could not connect to host
 erad.fr: could not connect to host
 erigrid.eu: could not connect to host
 erspro.net: could not connect to host
 erwinwensveen.nl: could not connect to host
 es888999.com: could not connect to host
 esoterik.link: could not connect to host
 esseriumani.com: could not connect to host
 ethanfaust.com: could not connect to host
 ethiobaba.com: could not connect to host
 euexia.fr: could not connect to host
 eung.ga: could not connect to host
+euph.eu: could not connect to host
 eurostrategy.vn.ua: could not connect to host
 evankurniawan.com: could not connect to host
 eventaro.com: could not connect to host
-eventmake.es: could not connect to host
 everyarti.st: could not connect to host
 eveshaiwu.com: could not connect to host
 eworksmedia.com: could not connect to host
 exceptionalservices.us: could not connect to host
 exo.do: could not connect to host
 exteriorservices.io: could not connect to host
 eytosh.net: could not connect to host
 f1bigpicture.com: could not connect to host
@@ -761,32 +772,34 @@ factureenlinea.com: could not connect to
 faeriecakes.be: could not connect to host
 fafatiger.com: could not connect to host
 faithwatch.org: could not connect to host
 fakti.bg: could not connect to host
 falkus.net: could not connect to host
 fallenangeldrinks.eu: could not connect to host
 famer.me: could not connect to host
 fameuxhosting.co.uk: could not connect to host
+fander.it: could not connect to host
 faretravel.co.uk: could not connect to host
 farm24.co.uk: could not connect to host
 farmacia.pt: could not connect to host
 fastaim.de: could not connect to host
 fastbackmbg.be: could not connect to host
 faxreader.net: could not connect to host
 fcapartsdb.com: could not connect to host
 feac.us: could not connect to host
 fedn.it: could not connect to host
 feedstringer.com: could not connect to host
 feirlane.org: could not connect to host
 feisbed.com: could not connect to host
 felger-times.fr: could not connect to host
 fengyadi.com: could not connect to host
 feras-alhajjaji.com: could not connect to host
 fetclips.se: could not connect to host
+ff-bg.xyz: could not connect to host
 fhsseniormens.club: could not connect to host
 ficklenote.net: could not connect to host
 fierman.eu: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 fierman.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 fierman.us: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 fifieldtech.com: could not connect to host
 figuurzagers.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 filebox.space: could not connect to host
@@ -798,16 +811,17 @@ fire-wolf.com: could not connect to host
 firexarxa.de: could not connect to host
 first-time-offender.com: could not connect to host
 fiscoeconti.it: could not connect to host
 fix-the-timeline.com: could not connect to host
 fix-the-timeline.org: could not connect to host
 fixmyglitch.com: could not connect to host
 fixthetimeline.com: could not connect to host
 fixthetimeline.org: could not connect to host
+flam.io: could not connect to host
 flamingcow.tv: could not connect to host
 flexinvesting.fi: could not connect to host
 floth.at: could not connect to host
 flow.su: could not connect to host
 flucky.xyz: could not connect to host
 flugplatz-edvc.de: could not connect to host
 flyingdoggy.net: could not connect to host
 focalforest.com: could not connect to host
@@ -855,16 +869,17 @@ fun99.cc: could not connect to host
 funksteckdosen24.de: could not connect to host
 funoverip.net: could not connect to host
 funspins.com: could not connect to host
 furnishedproperty.com.au: could not connect to host
 futos.de: could not connect to host
 futuresonline.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 fuzoku-sodan.com: could not connect to host
 fyol.pw: could not connect to host
+fysiotherapierossum.nl: could not connect to host
 g01.in.ua: could not connect to host
 g1jeu.com: could not connect to host
 gaasuper6.com: could not connect to host
 gabriele-kluge.de: could not connect to host
 gafachi.com: could not connect to host
 galgoafegao.com.br: could not connect to host
 galgoingles.com.br: could not connect to host
 gam3rs.de: could not connect to host
@@ -911,17 +926,16 @@ getgeek.nu: could not connect to host
 getgeek.pl: could not connect to host
 getitpeople.com: could not connect to host
 getyourphix.tk: could not connect to host
 gevaulug.fr: could not connect to host
 gfoss.gr: could not connect to host
 gglks.com: could not connect to host
 ggss.cf: could not connect to host
 gh16.com.ar: could not connect to host
-ghaglund.se: could not connect to host
 gifzilla.net: could not connect to host
 gina-architektur.design: could not connect to host
 girlsforum.com: could not connect to host
 git.co: could not connect to host
 gix.net.pl: could not connect to host
 gladystudio.com: could not connect to host
 globalnewsdaily.cf: could not connect to host
 globaltennis.ca: could not connect to host
@@ -946,16 +960,17 @@ gozadentro.com: could not connect to hos
 gpsvideocanada.com: could not connect to host
 gradsm-ci.net: could not connect to host
 granth.io: could not connect to host
 graphite.org.uk: could not connect to host
 gratisonlinesex.com: could not connect to host
 greggsfoundation.org.uk: could not connect to host
 gregmartyn.com: could not connect to host
 greuel.online: could not connect to host
+greybit.net: could not connect to host
 greyhash.se: could not connect to host
 gritte.net: could not connect to host
 grossmisconduct.news: could not connect to host
 growingmetrics.com: could not connect to host
 grusenmeyer.be: could not connect to host
 gugaltika-ipb.org: could not connect to host
 guinea-pig.co: could not connect to host
 gunhunter.com: could not connect to host
@@ -964,21 +979,21 @@ gutuia.blue: could not connect to host
 gvchannel.xyz: could not connect to host
 gwrtech.com: could not connect to host
 gxgx.org: could not connect to host
 gymnasium-farmsen.de: could not connect to host
 gzpblog.com: could not connect to host
 h2cdn.cloud: could not connect to host
 h3artbl33d.nl: could not connect to host
 habeo.si: could not connect to host
-hackanders.com: could not connect to host
 hackbubble.me: could not connect to host
 hackmeplz.com: could not connect to host
 haktec.de: could not connect to host
 hakugin.me: could not connect to host
+hakurei.moe: could not connect to host
 halcyonsbastion.com: could not connect to host
 half-logic.eu.org: could not connect to host
 halta.info: could not connect to host
 hamking.tk: could not connect to host
 hammer-schnaps.com: could not connect to host
 hamu.blue: could not connect to host
 hanksservice.com: could not connect to host
 hanys.xyz: could not connect to host
@@ -988,16 +1003,17 @@ hapvm.com: could not connect to host
 hardeman.nu: could not connect to host
 harrypottereditor.net: could not connect to host
 has-no-email-set.de: could not connect to host
 hasabig.wang: could not connect to host
 hasalittle.wang: could not connect to host
 hashimah.ca: could not connect to host
 hashplex.com: could not connect to host
 hatethe.uk: could not connect to host
+havellab.de: could not connect to host
 hbbet.com: could not connect to host
 hbdesign.work: could not connect to host
 hbvip.com: could not connect to host
 hcstr.com: could not connect to host
 hdc.cz: could not connect to host
 hdrtranscon.com: could not connect to host
 hdy.nz: could not connect to host
 healthyandnaturalliving.com: could not connect to host
@@ -1092,34 +1108,32 @@ ifxnet.com: could not connect to host
 igamingforums.com: could not connect to host
 ihatethissh.it: could not connect to host
 iideaz.org: could not connect to host
 iilin.com: could not connect to host
 iiong.com: could not connect to host
 iirii.com: could not connect to host
 ikenmeyer.com: could not connect to host
 ikenmeyer.eu: could not connect to host
-ikk.me: could not connect to host
 ikzoekeengoedkopeauto.nl: could not connect to host
 ildomani.it: could not connect to host
 ileat.com: could not connect to host
 imaginarymakings.me: could not connect to host
 img.ovh: could not connect to host
 imgencrypt.com: could not connect to host
 imgul.net: could not connect to host
 imguoguo.com: could not connect to host
 imlinan.cn: could not connect to host
 imlinan.info: could not connect to host
 imlinan.net: could not connect to host
 imoner.ga: could not connect to host
 imperdintechnologies.com: could not connect to host
 imperiumnova.info: could not connect to host
 imy.life: could not connect to host
 increasetestosteronelevels.org: could not connect to host
-inderagamono.net: could not connect to host
 industreiler.com: could not connect to host
 industreiler.com.br: could not connect to host
 inexpensivecomputers.net: could not connect to host
 informatik.zone: could not connect to host
 infoworm.org: could not connect to host
 infruction.com: could not connect to host
 injust.eu.org: could not connect to host
 injust.me: could not connect to host
@@ -1163,16 +1177,17 @@ ivanpolchenko.com: could not connect to 
 ivfmeds.com: could not connect to host
 ivyshop.com.br: could not connect to host
 ivystech.com: could not connect to host
 iwex.swiss: could not connect to host
 j-navi.com: could not connect to host
 j0ng.xyz: could not connect to host
 jaimechanaga.com: could not connect to host
 jaion.ml: could not connect to host
+jaitnetworking.com: could not connect to host
 jakincode.army: could not connect to host
 jaksel.id: could not connect to host
 jamesheald.com: could not connect to host
 jan-bucher.ch: could not connect to host
 janheidler.dynv6.net: could not connect to host
 janssen.fm: could not connect to host
 japan4you.org: could not connect to host
 javascriptlab.fr: could not connect to host
@@ -1182,29 +1197,31 @@ jcaicedo.tk: could not connect to host
 jccars-occasions.be: could not connect to host
 jccrew.org: could not connect to host
 jcraft.us: could not connect to host
 jean-remy.ch: could not connect to host
 jecho.cn: could not connect to host
 jeffersonregan.org: could not connect to host
 jens.hk: could not connect to host
 jerrypau.ca: could not connect to host
+jeva.nl: could not connect to host
 jhburton.co.uk: could not connect to host
 jiangzm.com: could not connect to host
 jianyuan.pro: could not connect to host
 jiaqiang.vip: could not connect to host
 jmb.lc: could not connect to host
 jmoreau.ddns.net: could not connect to host
 jmvbmx.ch: could not connect to host
 jobmedic.com: could not connect to host
 joecod.es: could not connect to host
 joetyson.io: could not connect to host
 johntomasowa.com: could not connect to host
 jonathansanchez.pro: could not connect to host
 jonfor.net: could not connect to host
+jonpads.com: could not connect to host
 jooto.com: could not connect to host
 josc.com.au: could not connect to host
 joshharkema.com: could not connect to host
 jpdeharenne.be: could not connect to host
 jpod.cc: could not connect to host
 js88.sg: could not connect to host
 jsc7776.com: could not connect to host
 jsjyhzy.cc: could not connect to host
@@ -1212,33 +1229,33 @@ juliaoantiguidades.com.br: could not con
 juliawebber.co.za: could not connect to host
 jumbopan.com: could not connect to host
 jumbopan.net: could not connect to host
 just-pools.co.za: could not connect to host
 justinharrison.ca: could not connect to host
 justzz.xyz: could not connect to host
 juventusmania1897.com: could not connect to host
 k33k00.com: could not connect to host
+kabus.org: could not connect to host
 kaika-facilitymanagement.de: could not connect to host
 kainz.be: could not connect to host
 kalender.goip.de: could not connect to host
 kaloix.de: could not connect to host
 kamalame.co: could not connect to host
 kamitech.ch: could not connect to host
 kanganer.com: could not connect to host
 kangzaber.com: could not connect to host
 kapo.info: could not connect to host
 karamna.com: could not connect to host
 karuneshjohri.com: could not connect to host
 kat.al: could not connect to host
 katyusha.net: could not connect to host
 kawaiiku.com: could not connect to host
 kawaiiku.de: could not connect to host
 kaydan.io: could not connect to host
-kb3.net: could not connect to host
 kearney.io: could not connect to host
 kellyandantony.com: could not connect to host
 kelm.me: could not connect to host
 kermadec.com: could not connect to host
 keshausconsulting.com: could not connect to host
 kevinbowers.me: could not connect to host
 kevindekoninck.com: could not connect to host
 kevinfoley.cc: could not connect to host
@@ -1258,32 +1275,34 @@ kirill.ws: could not connect to host
 kj1396.net: could not connect to host
 kjoglum.me: could not connect to host
 kleinblogje.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 klingeletest.de: could not connect to host
 knep.me: could not connect to host
 kngk-azs.ru: could not connect to host
 kngkng.com: could not connect to host
 knightsweep.com: could not connect to host
+knnet.ch: could not connect to host
 knownsec.cf: could not connect to host
 koez-mangal.ch: could not connect to host
 koketteriet.se: could not connect to host
 kollawat.me: could not connect to host
 kollega.it: could not connect to host
 kongbaofang.com: could not connect to host
 konicaprinterdriver.com: could not connect to host
 konventseliten.se: could not connect to host
 kopfsalat.eu: could not connect to host
 koppelvlak.net: could not connect to host
 kotitesti.fi: could not connect to host
 kotorimusic.ga: could not connect to host
 kozmik.co: could not connect to host
 krag.be: could not connect to host
 krampus-fischamend.at: could not connect to host
 kriegskindernothilfe.de: could not connect to host
+ksero.center: could not connect to host
 ktube.yt: could not connect to host
 kubusadvocaten.nl: could not connect to host
 kuko-crews.org: could not connect to host
 kwikmed.eu: could not connect to host
 kwipi.com: could not connect to host
 kyberna.xyz: could not connect to host
 kyle.place: could not connect to host
 kylerwood.com: could not connect to host
@@ -1302,16 +1321,17 @@ lafr4nc3.xyz: could not connect to host
 lakehavasuhouserentals.com: could not connect to host
 lakhesis.net: could not connect to host
 landell.ml: could not connect to host
 langbein.org: could not connect to host
 langendorf-ernaehrung-training.de: could not connect to host
 lanonfire.com: could not connect to host
 latamarissiere.eu: could not connect to host
 lateliercantaldeco.fr: could not connect to host
+latemodern.com: could not connect to host
 lathamlabs.com: could not connect to host
 lathamlabs.net: could not connect to host
 lathamlabs.org: could not connect to host
 lazulu.com: could not connect to host
 lbarrios.es: could not connect to host
 lbrls.tk: could not connect to host
 lclarkpdx.com: could not connect to host
 lcti.biz: could not connect to host
@@ -1395,45 +1415,48 @@ love4taylor.eu.org: could not connect to
 loveandloyalty.se: could not connect to host
 lowt.us: could not connect to host
 loyaltech.ch: could not connect to host
 lstma.com: could not connect to host
 lszj.com: could not connect to host
 ltransferts.com: could not connect to host
 lubot.net: could not connect to host
 lucascodes.com: could not connect to host
+lucasgaland.com: could not connect to host
 lucidlogs.com: could not connect to host
 lucy.science: could not connect to host
 luisgf.es: could not connect to host
 lukasunger.cz: could not connect to host
 lukasunger.net: could not connect to host
 lukasztkacz.com: could not connect to host
 lumer.tech: could not connect to host
 luminancy.com: could not connect to host
 luom.net: could not connect to host
 luxonetwork.com: could not connect to host
 lycly.me: could not connect to host
 m-generator.com: could not connect to host
 m4570.xyz: could not connect to host
 m4g.ru: could not connect to host
 maartenterpstra.xyz: could not connect to host
 madeintucson.org: could not connect to host
+madnetwork.org: could not connect to host
 madusecurity.com: could not connect to host
 magicball.co: could not connect to host
 magnacumlaude.co: could not connect to host
 mahansexcavating.com: could not connect to host
 maik-mahlow.de: could not connect to host
 mail4geek.com: could not connect to host
 mailon.ga: could not connect to host
 makeit-so.de: could not connect to host
 makeuplove.nl: could not connect to host
 malamutedoalasca.com.br: could not connect to host
 malesbdsm.com: could not connect to host
 malgraph.net: could not connect to host
 mamastore.eu: could not connect to host
+manova.cz: could not connect to host
 marcelmarnitz.com: could not connect to host
 marche-nordic-jorat.ch: could not connect to host
 mardelcupon.com: could not connect to host
 mare92.cz: could not connect to host
 mariusschulte.de: could not connect to host
 mark-armstrong-gaming.com: could not connect to host
 marketgot.com: could not connect to host
 marketing-advertising.eu: could not connect to host
@@ -1462,16 +1485,17 @@ mbwemmel-usedcars.be: could not connect 
 mcadmin.net: could not connect to host
 mcdanieldevelopmentservices.com: could not connect to host
 mcideas.tk: could not connect to host
 mcjackk77.com: could not connect to host
 mckinley1.com: could not connect to host
 mcsa-usa.org: could not connect to host
 mcsnovatamabayan.com: could not connect to host
 me-dc.com: could not connect to host
+meadowfen.farm: could not connect to host
 meathealth.com: could not connect to host
 mecanicadom.com: could not connect to host
 mediadandy.com: could not connect to host
 mediadex.be: could not connect to host
 medicinskavranje.edu.rs: could not connect to host
 mediweed.tk: could not connect to host
 medy-me.com: could not connect to host
 megadrol.com: could not connect to host
@@ -1486,22 +1510,22 @@ menchez.me: could not connect to host
 menzaijia.com: could not connect to host
 mercanix.co.uk: could not connect to host
 mes10doigts.ovh: could not connect to host
 metaether.net: could not connect to host
 metrix-money-ptc.com: could not connect to host
 metrix.design: could not connect to host
 mexior.nl: could not connect to host
 meyeraviation.com: could not connect to host
-mhalfter.de: could not connect to host
 mhjuma.com: could not connect to host
 michaelcullen.name: could not connect to host
 michaelkuchta.me: could not connect to host
 michaelsulzer.com: could not connect to host
 michaelsulzer.eu: could not connect to host
+michaelzomer.com: could not connect to host
 michasfahrschule.com: could not connect to host
 microblading.pe: could not connect to host
 microlinks.org: could not connect to host
 mieterschutzkartei.de: could not connect to host
 mikeybot.com: could not connect to host
 millionairessecrets.com: could not connect to host
 mingy.ddns.net: could not connect to host
 mingyueli.com: could not connect to host
@@ -1530,27 +1554,26 @@ modded-minecraft-server-list.com: could 
 modernibytovytextil.cz: could not connect to host
 moderntld.net: could not connect to host
 moe-max.jp: could not connect to host
 moefi.xyz: could not connect to host
 moeyi.xyz: could not connect to host
 mongla168.net: could not connect to host
 mongla88.net: could not connect to host
 monitori.ng: could not connect to host
-monodukuri.cafe: could not connect to host
-monodzukuri.cafe: could not connect to host
 monotsuku.com: could not connect to host
 monozukuri.cafe: could not connect to host
 moobo.xyz: could not connect to host
 mooselook.de: could not connect to host
 moparcraft.com: could not connect to host
 moparcraft.org: could not connect to host
 mordrum.com: could not connect to host
 morepopcorn.co.nz: could not connect to host
 morfitronik.pl: could not connect to host
+morganino.eu: could not connect to host
 morz.org: could not connect to host
 mosaique-lachenaie.fr: could not connect to host
 moskva.guide: could not connect to host
 motezazer.fr: could not connect to host
 motocyklovedily.cz: could not connect to host
 motomorgen.com: could not connect to host
 motorbiketourhanoi.com: could not connect to host
 mountainadventureseminars.com: could not connect to host
@@ -1561,16 +1584,17 @@ mpserver12.org: could not connect to hos
 mrafrohead.com: could not connect to host
 mremallin.ca: could not connect to host
 mrizzio.com: could not connect to host
 mrliu.me: could not connect to host
 msgallery.tk: could not connect to host
 msz-fotografie.de: could not connect to host
 mtirc.co: could not connect to host
 mtn.cc: could not connect to host
+muchohentai.com: could not connect to host
 muj-svet.cz: could not connect to host
 multivpn.fr: could not connect to host
 munduch.cz: could not connect to host
 munrabi.com: could not connect to host
 murraycolin.org: could not connect to host
 murz.tv: could not connect to host
 muslimbanter.co.za: could not connect to host
 mxawei.cn: could not connect to host
@@ -1597,16 +1621,17 @@ nassi.me: could not connect to host
 nastysclaw.com: could not connect to host
 natur-udvar.hu: could not connect to host
 natuterra.com.br: could not connect to host
 ncdesigns-studio.com: could not connect to host
 ndtblog.com: could not connect to host
 necesitodinero.org: could not connect to host
 necio.ca: could not connect to host
 neer.io: could not connect to host
+neko.li: could not connect to host
 nekoku.io: could not connect to host
 nemumu.com: could not connect to host
 nerdjokes.de: could not connect to host
 nerfroute.com: could not connect to host
 nestone.ru: could not connect to host
 netbuzz.ru: could not connect to host
 netica.fr: could not connect to host
 netlocal.ru: could not connect to host
@@ -1623,21 +1648,21 @@ nexuscorporation.in: could not connect t
 nfluence.org: could not connect to host
 ngiemboon.net: could not connect to host
 nginxyii.tk: could not connect to host
 nicoleoquendo.com: could not connect to host
 nienfun.com: could not connect to host
 nikksno.io: could not connect to host
 nikobradshaw.com: could not connect to host
 nikolasbradshaw.com: could not connect to host
+ninreiei.jp: could not connect to host
 ninux.ch: could not connect to host
 niouininon.eu: could not connect to host
 nirada.info: could not connect to host
 nishikino-maki.com: could not connect to host
-niva.synology.me: could not connect to host
 nkadvertising.online: could not connect to host
 nocs.cn: could not connect to host
 nodelab-it.de: could not connect to host
 nodeselect.com: could not connect to host
 noelblog.ga: could not connect to host
 noisebridge.social: could not connect to host
 nolimits.net.nz: could not connect to host
 nonemu.ninja: could not connect to host
@@ -1673,37 +1698,39 @@ okusiassociates.com: could not connect t
 oldtimer-trifft-flugplatz.de: could not connect to host
 olgui.net: could not connect to host
 oliverspringer.eu: could not connect to host
 oneazcu.com: could not connect to host
 onewebdev.info: could not connect to host
 onsennuie.fr: could not connect to host
 onsite4u.de: could not connect to host
 onstud.com: could not connect to host
-ontheten.org: could not connect to host
 onwie.fr: could not connect to host
 ooeste.com: could not connect to host
 openconnect.com.au: could not connect to host
 opinion8td.com: could not connect to host
 opinionipannolini.it: could not connect to host
 orangekey.tk: could not connect to host
+oranges.tokyo: could not connect to host
+oranic.com: could not connect to host
 oricejoc.com: could not connect to host
+osacrypt.studio: could not connect to host
 oscarmashauri.com: could not connect to host
 oscsdp.cz: could not connect to host
 oshell.me: could not connect to host
 oshinagaki.jp: could not connect to host
 osmanlitorunu.com: could not connect to host
 ospree.me: could not connect to host
-oszri.hu: could not connect to host
 otinane.eu: could not connect to host
 otmns.net: could not connect to host
 ourchoice2016.com: could not connect to host
 overkillshop.com: could not connect to host
 owlscrap.ru: could not connect to host
 oxynux.xyz: could not connect to host
+p-pc.de: could not connect to host
 pabloartea.ga: could not connect to host
 packetcrash.net: could not connect to host
 pactf-flag-4boxdpa21ogonzkcrs9p.com: could not connect to host
 paichai.space: could not connect to host
 painosso.org: could not connect to host
 paio2-rec.com: could not connect to host
 paio2.com: could not connect to host
 palationtrade.com: could not connect to host
@@ -1722,16 +1749,18 @@ paypod.org: could not connect to host
 paytm.in: could not connect to host
 pbcknd.ml: could not connect to host
 pbscreens.com: could not connect to host
 pbytes.com: could not connect to host
 pcvirusclear.com: could not connect to host
 pear2pear.de: could not connect to host
 peerless.ae: could not connect to host
 peirong.me: could not connect to host
+pelletizermill.com: could not connect to host
+pemagrid.org: could not connect to host
 pengisatelier.net: could not connect to host
 pepper.dog: could not connect to host
 persjrp.ca: could not connect to host
 persoform.ch: could not connect to host
 petlife.od.ua: could not connect to host
 peuf.shop: could not connect to host
 peykezamin.ir: could not connect to host
 pfudor.tk: could not connect to host
@@ -1746,16 +1775,17 @@ photops.fr: could not connect to host
 phuong.faith: could not connect to host
 pianetaottica.eu: could not connect to host
 pianetaottica.info: could not connect to host
 picallo.es: could not connect to host
 picone.com.au: could not connect to host
 picotronic.de: could not connect to host
 picsandtours.com: could not connect to host
 pierrejeansuau.fr: could not connect to host
+pietawittermans.nl: could not connect to host
 pieterhordijk.com: could not connect to host
 pimspage.nl: could not connect to host
 pinebaylibrary.org: could not connect to host
 pinkhq.com: could not connect to host
 pinkinked.com: could not connect to host
 pinoyonlinetv.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 pipenny.net: could not connect to host
 pitot-rs.org: could not connect to host
@@ -1772,16 +1802,17 @@ pmbremer.de: could not connect to host
 pogs.us: could not connect to host
 polit.im: could not connect to host
 pookl.com: could not connect to host
 poolinstallers.co.za: could not connect to host
 popkins.cf: could not connect to host
 popkins.ga: could not connect to host
 popkins.gq: could not connect to host
 popkins.tk: could not connect to host
+pornbay.org: could not connect to host
 pornblog.org: could not connect to host
 porschen.fr: could not connect to host
 port.social: could not connect to host
 portalisapres.cl: could not connect to host
 posobota.cz: could not connect to host
 posters.win: could not connect to host
 potbar.com: could not connect to host
 potbox.com: could not connect to host
@@ -1834,16 +1865,17 @@ psyk.yt: could not connect to host
 publimepa.it: could not connect to host
 pugilares.com.pl: could not connect to host
 puhe.se: could not connect to host
 puikheid.nl: could not connect to host
 pwdgen.net: could not connect to host
 pwntr.com: could not connect to host
 pyjiaoyi.cf: could not connect to host
 pythia.nz: could not connect to host
+pyzlnar.com: could not connect to host
 qforum.org: could not connect to host
 qikan.net: could not connect to host
 qirinus.com: could not connect to host
 qnatek.org: could not connect to host
 qoqo.us: could not connect to host
 qqvips.com: could not connect to host
 qrlfinancial.com: could not connect to host
 qto.net: could not connect to host
@@ -1892,31 +1924,33 @@ report-incident.de: could not connect to
 reposaarenkuva.fi: could not connect to host
 reqognize.com: could not connect to host
 research.md: could not connect to host
 resoundpro.ca: could not connect to host
 reth.ch: could not connect to host
 retube.ga: could not connect to host
 reucon.com: could not connect to host
 reykjavik.guide: could not connect to host
+rhodes.ml: could not connect to host
 ribopierre.fr: could not connect to host
 riceglue.com: could not connect to host
 richardb.me: could not connect to host
 richeza.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 righteousendeavour.com: could not connect to host
 riversideauto.net: could not connect to host
 riverstyxgame.com: could not connect to host
 roave.com: could not connect to host
 robi-net.it: could not connect to host
 robomonkey.org: could not connect to host
 robust.ga: could not connect to host
 rodehutskors.net: could not connect to host
 rodzina-kupiec.eu.org: could not connect to host
 rofrank.space: could not connect to host
 roguesignal.net: could not connect to host
+rolandkolodziej.com: could not connect to host
 rolandszabo.com: could not connect to host
 romanticvillas.com.au: could not connect to host
 rondreis-planner.nl: could not connect to host
 ronghexx.com: could not connect to host
 rool.me: could not connect to host
 roolevoi.ru: could not connect to host
 rootbsd.at: could not connect to host
 rospa100.com: could not connect to host
@@ -1930,26 +1964,27 @@ rsldb.com: could not connect to host
 rtc.fun: could not connect to host
 rubbix.net: could not connect to host
 rubendv.be: could not connect to host
 ruhr3.de: could not connect to host
 ruja.dk: could not connect to host
 runcarina.com: could not connect to host
 rundumcolumn.xyz: could not connect to host
 runschrauger.com: could not connect to host
+ruobr.ru: could not connect to host
 ruurdboomsma.nl: could not connect to host
 rzegroup.com: could not connect to host
 s0923.com: could not connect to host
 s16e.no: could not connect to host
 s3n.se: could not connect to host
 safedevice.net: could not connect to host
 safejourney.education: could not connect to host
 saferedirectlink.com: could not connect to host
-safeui.com: could not connect to host
 sagemontchurch.org: could not connect to host
+sahkotyot.eu: could not connect to host
 sallysubs.com: could not connect to host
 salzamt.tk: could not connect to host
 samaritan.tech: could not connect to host
 samsonova.de: could not connect to host
 sanael.net: could not connect to host
 sanatrans.com: could not connect to host
 sanmuding.com: could not connect to host
 santanderideas.com: could not connect to host
@@ -1964,17 +1999,22 @@ savecashindia.com: could not connect to 
 savethedogfishfoundation.org: could not connect to host
 savingbytes.com: could not connect to host
 saxol-group.com: could not connect to host
 sbm.cloud: could not connect to host
 scalaire.fr: could not connect to host
 schaafenstrasse.koeln: could not connect to host
 schmidttulskie.de: could not connect to host
 schnapke.name: could not connect to host
+schrauger.com: could not connect to host
+schrauger.info: could not connect to host
+schrauger.net: could not connect to host
+schrauger.org: could not connect to host
 schrauger.run: could not connect to host
+schraugerrun.com: could not connect to host
 schul-bar.de: could not connect to host
 scib.tk: could not connect to host
 sciencemonster.co.uk: could not connect to host
 scintillating.stream: could not connect to host
 scitopia.me: could not connect to host
 scm-2017.org: could not connect to host
 scootfleet.com: could not connect to host
 scottainslie.me.uk: could not connect to host
@@ -1991,23 +2031,23 @@ secure-automotive-cloud.com: could not c
 secure-automotive-cloud.org: could not connect to host
 secureindia.co: could not connect to host
 security.xn--q9jyb4c: could not connect to host
 securitymap.wiki: could not connect to host
 securitysoapbox.com: could not connect to host
 securitytalk.pl: could not connect to host
 securon.io: could not connect to host
 securoswiss.ch: could not connect to host
+seeclop.ch: could not connect to host
 seefirm.com: could not connect to host
 seen.life: could not connect to host
 selent.me: could not connect to host
 seleondar.ru: could not connect to host
 selfserverx.com: could not connect to host
 sellmoretires.com: could not connect to host
-semaphore-studios.com: could not connect to host
 seo-nerd.de: could not connect to host
 seoscribe.net: could not connect to host
 servecrypt.net: could not connect to host
 serverlauget.no: could not connect to host
 servfefe.com: could not connect to host
 seryovpn.com: could not connect to host
 sesha.co.za: could not connect to host
 sessionslogning.dk: could not connect to host
@@ -2031,17 +2071,16 @@ shirakaba-cc.com: could not connect to h
 shred.ch: could not connect to host
 shredoptics.ch: could not connect to host
 shtorku.com: could not connect to host
 shurita.org: could not connect to host
 shuzicai.cn: could not connect to host
 shymeck.pw: could not connect to host
 siamega.com: could not connect to host
 siebens.net: could not connect to host
-sift-tool.org: could not connect to host
 signosquecombinam.com.br: could not connect to host
 siikarantacamping.fi: could not connect to host
 sijmenschoon.nl: could not connect to host
 sikatehtaat.fi: could not connect to host
 siku.pro: could not connect to host
 silqueskineyeserum.com: could not connect to host
 silverback.is: could not connect to host
 silviamacallister.com: could not connect to host
@@ -2051,17 +2090,16 @@ simonschmitt.ch: could not connect to ho
 simplerses.com: could not connect to host
 sims4hub.ga: could not connect to host
 sinfulforums.net: could not connect to host
 sinsojb.me: could not connect to host
 siqi.wang: could not connect to host
 sitecloudify.com: could not connect to host
 sitemaxiphilippe.ch: could not connect to host
 sjdaws.com: could not connect to host
-sjis.me: could not connect to host
 skarox.ru: could not connect to host
 skontakt.cz: could not connect to host
 skontorp-enterprise.no: could not connect to host
 sky-aroma.com: could not connect to host
 skylocker.net: could not connect to host
 skylocker.nl: could not connect to host
 skyvault.io: could not connect to host
 sl1pkn07.wtf: could not connect to host
@@ -2093,16 +2131,17 @@ sourcecode.love: could not connect to ho
 sowingseasons.com: could not connect to host
 sowncloud.de: could not connect to host
 sp.rw: could not connect to host
 spam.lol: could not connect to host
 spanien.guide: could not connect to host
 sparkbase.cn: could not connect to host
 spartantheatre.org: could not connect to host
 spawn.cz: could not connect to host
+spendwise.com.au: could not connect to host
 sphinx.network: could not connect to host
 spicydog.tk: could not connect to host
 spicywombat.com: could not connect to host
 split.is: could not connect to host
 springsoffthegrid.com: could not connect to host
 squids.space: could not connect to host
 squirtlesbians.net: could not connect to host
 sqzryang.com: could not connect to host
@@ -2119,16 +2158,20 @@ startupum.ru: could not connect to host
 state-of-body-and-mind.com: could not connect to host
 statgram.me: could not connect to host
 static-assets.io: could not connect to host
 static.hosting: could not connect to host
 staticisnoise.com: could not connect to host
 statusbot.io: could not connect to host
 steffi-in-australien.com: could not connect to host
 stellarium-gornergrat.ch: could not connect to host
+stephenschrauger.com: could not connect to host
+stephenschrauger.info: could not connect to host
+stephenschrauger.net: could not connect to host
+stephenschrauger.org: could not connect to host
 stevengoodpaster.com: could not connect to host
 stickswag.cf: could not connect to host
 stikonas.eu: could not connect to host
 stilettomoda.com.br: could not connect to host
 stoianlawfirm.com: could not connect to host
 stonefusion.org.uk: could not connect to host
 stonemanbrasil.com.br: could not connect to host
 stopakwardhandshakes.org: could not connect to host
@@ -2156,17 +2199,16 @@ surasak.org: could not connect to host
 surdam.casa: could not connect to host
 susastudentenjobs.de: could not connect to host
 suspiciousdarknet.xyz: could not connect to host
 suts.co.uk: could not connect to host
 svj-stochovska.cz: could not connect to host
 svjvn.cz: could not connect to host
 swacp.com: could not connect to host
 swaggerdile.com: could not connect to host
-swarlys-server.de: could not connect to host
 sweetlegs.jp: could not connect to host
 sweetll.me: could not connect to host
 sweetvanilla.jp: could not connect to host
 swfloshatraining.com: could not connect to host
 swissentreprises.ch: could not connect to host
 swuosa.org: could not connect to host
 sydney-sehen.com: could not connect to host
 syhost.at: could not connect to host
@@ -2186,16 +2228,17 @@ taidu.news: could not connect to host
 takedownthissite.com: could not connect to host
 takusan.ru: could not connect to host
 talado.gr: could not connect to host
 tanak3n.xyz: could not connect to host
 tangerine.ga: could not connect to host
 tangzhao.net: could not connect to host
 tapestries.tk: could not connect to host
 taranis.re: could not connect to host
+tarantul.org.ua: could not connect to host
 tardybaker.com: could not connect to host
 tarek.link: could not connect to host
 tazemama.biz: could not connect to host
 tcpweb.net: could not connect to host
 tdelmas.eu: could not connect to host
 tdelmas.ovh: could not connect to host
 tdsb.cf: could not connect to host
 tdsbhack.tk: could not connect to host
@@ -2288,17 +2331,16 @@ tpolemis.com: could not connect to host
 track.plus: could not connect to host
 tradingrooms.com: could not connect to host
 traforet.win: could not connect to host
 trainhornforums.com: could not connect to host
 trainline.io: could not connect to host
 transappealrights.com: could not connect to host
 transcendmotor.sg: could not connect to host
 transmithe.net: could not connect to host
-travelling.expert: could not connect to host
 travotion.com: could not connect to host
 treker.us: could not connect to host
 triageo.com.au: could not connect to host
 tristanfarkas.one: could not connect to host
 tryfm.net: could not connect to host
 trynowrinkleseyeserum.com: could not connect to host
 tryti.me: could not connect to host
 tsaro.io: could not connect to host
@@ -2359,16 +2401,17 @@ vagpartsdb.com: could not connect to hos
 valecnatechnika.cz: could not connect to host
 valenhub.com: could not connect to host
 valenhub.es: could not connect to host
 valis.sx: could not connect to host
 vamosfalardesaude.pt: could not connect to host
 vanderstraeten.dynv6.net: could not connect to host
 vapemania.eu: could not connect to host
 varela-electricite.fr: could not connect to host
+variable.agency: could not connect to host
 vayaport.com: could not connect to host
 vconcept.ch: could not connect to host
 vconcept.me: could not connect to host
 vdanker.net: could not connect to host
 vectro.me: could not connect to host
 velasense.com: could not connect to host
 velen.io: could not connect to host
 venicecomputerrepair.com: could not connect to host
@@ -2468,17 +2511,16 @@ wherephoto.com: could not connect to hos
 whilsttraveling.com: could not connect to host
 whiskynerd.ca: could not connect to host
 whitworth.nyc: could not connect to host
 whoneedstobeprimaried.today: could not connect to host
 whyy.eu.org: could not connect to host
 wibuw.com: could not connect to host
 wilfrid-calixte.fr: could not connect to host
 wilhelm-nathan.de: could not connect to host
-willeminfo.ch: could not connect to host
 willkommen-fuerstenberg.de: could not connect to host
 winnersports.co: could not connect to host
 winsufi.biz: could not connect to host
 wisak.eu: could not connect to host
 wishesbee.com: could not connect to host
 wissl.org: could not connect to host
 wizznab.tk: could not connect to host
 wk577.com: could not connect to host
@@ -2497,18 +2539,16 @@ wp-fastsearch.de: could not connect to h
 wp-stack.pro: could not connect to host
 wp6.pw: could not connect to host
 wsdcap.com: could not connect to host
 wuchipc.com: could not connect to host
 wumbo.kiwi: could not connect to host
 www-68277.com: could not connect to host
 www-8887999.com: could not connect to host
 www.history.pe: could not connect to host
-wxrlab.com: could not connect to host
-wyeworks.com: could not connect to host
 xatr0z.org: could not connect to host
 xbc.nz: could not connect to host
 xeonlab.com: could not connect to host
 xeonlab.de: could not connect to host
 xia100.xyz: could not connect to host
 xianguocy.com: could not connect to host
 xing.ml: could not connect to host
 xiqi.us: could not connect to host
@@ -2516,39 +2556,40 @@ xlboo.com: could not connect to host
 xmiui.com: could not connect to host
 xn----7sbmucgqdbgwwc5e9b.xn--p1ai: could not connect to host
 xn--6x6a.life: could not connect to host
 xn--8mr166hf6s.xn--fiqs8s: could not connect to host
 xn--c5w27q.ml: could not connect to host
 xn--srenpind-54a.dk: could not connect to host
 xn--t8j2a3042d.xyz: could not connect to host
 xn--tda.ml: could not connect to host
+xn--thorme-6uaf.ca: could not connect to host
 xn--vck8crc010pu14e.biz: could not connect to host
 xn--yj8h0m.ws: could not connect to host
 xn--ykrp42k.com: could not connect to host
 xpwn.cz: could not connect to host
 xtom.io: could not connect to host
 xtzone.be: could not connect to host
 xuntaosms.com: could not connect to host
 xwaretech.info: could not connect to host
 xyfun.net: could not connect to host
 y3451.com: could not connect to host
 yabrt.cn: could not connect to host
 yahoo.ax: could not connect to host
 yarchives.jp: could not connect to host
 yaucy.win: could not connect to host
+ybresson.com: could not connect to host
 yd.io: could not connect to host
 yellowcar.website: could not connect to host
 yemalu.com: could not connect to host
 yemekbaz.az: could not connect to host
 yepbitcoin.com: could not connect to host
 yesfone.com.br: could not connect to host
 yggdar.ga: could not connect to host
 yhori.xyz: could not connect to host
-yhwj.top: could not connect to host
 yibin0831.com: could not connect to host
 ying299.com: could not connect to host
 ying299.net: could not connect to host
 yinga.ga: could not connect to host
 ylk.io: could not connect to host
 yobbelwobbel.de: could not connect to host
 yobst.tk: could not connect to host
 yoga.is-an-engineer.com: could not connect to host
@@ -2568,46 +2609,46 @@ zaoext.com: could not connect to host
 zbchen.com: could not connect to host
 zbp.at: could not connect to host
 zeitzer-turngala.de: could not connect to host
 zeloz.xyz: could not connect to host
 zenghx.tk: could not connect to host
 zero-x-baadf00d.com: could not connect to host
 zerocool.io: could not connect to host
 zerosource.net: could not connect to host
-zhang.nz: could not connect to host
 zhangfangzhou.com: could not connect to host
 zhangsir.net: could not connect to host
 zhaochen.xyz: could not connect to host
 zhenmeish.com: could not connect to host
 zhikin.com: could not connect to host
 zhoujiashu.com: could not connect to host
 zikirakhirzaman.com: could not connect to host
 zmk.fr: could not connect to host
 zobraz.cz: could not connect to host
 zohar.shop: could not connect to host
 zokster.net: could not connect to host
 zolokar.xyz: could not connect to host
 zonemaster.fr: could not connect to host
 zonemaster.net: could not connect to host
+zoological-gardens.eu: could not connect to host
 zorz.info: could not connect to host
 zudomc.me: could not connect to host
 zuehlcke.de: could not connect to host
 zulu7.com: could not connect to host
 zuviel.space: could not connect to host
 zypr.pw: could not connect to host
 zyx.im: could not connect to host
 zzw.ca: could not connect to host
 00001.am: did not receive HSTS header
 00002.am: did not receive HSTS header
 0005.com: could not connect to host
 0005aa.com: could not connect to host
 007sascha.de: did not receive HSTS header
 020wifi.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
-0222aa.com: could not connect to host
+0222aa.com: did not receive HSTS header
 02dl.net: did not receive HSTS header
 040fit.nl: did not receive HSTS header
 048.ag: could not connect to host
 050508.com: could not connect to host
 066928.com: could not connect to host
 066938.com: could not connect to host
 0f.io: could not connect to host
 0fl.com: did not receive HSTS header
@@ -2697,16 +2738,17 @@ 341.mg: could not connect to host
 3555aa.com: could not connect to host
 35792.de: could not connect to host
 360gradus.com: did not receive HSTS header
 365.or.jp: could not connect to host
 368mibn.com: could not connect to host
 3778xl.com: did not receive HSTS header
 38sihu.com: could not connect to host
 39sihu.com: could not connect to host
+3ags.de: did not receive HSTS header
 3chit.cf: could not connect to host
 3click-loan.com: could not connect to host
 3d-bastler.de: could not connect to host
 3dcart.com: did not receive HSTS header
 3delivered.com: could not connect to host
 3dproteinimaging.com: did not receive HSTS header
 3fl.com: did not receive HSTS header
 3mbo.de: did not receive HSTS header
@@ -2781,16 +2823,17 @@ a-theme.com: could not connect to host
 a1-autopartsglasgow.com: did not receive HSTS header
 a200k.xyz: did not receive HSTS header
 a3workshop.swiss: could not connect to host
 a9c.co: could not connect to host
 aa7733.com: could not connect to host
 aaeblog.com: did not receive HSTS header
 aaeblog.net: did not receive HSTS header
 aaeblog.org: did not receive HSTS header
+aanbieders.ga: did not receive HSTS header
 aaoo.net: could not connect to host
 aapp.space: could not connect to host
 aaron-gustafson.com: did not receive HSTS header
 aaronmcguire.me: did not receive HSTS header
 abareplace.com: did not receive HSTS header
 abcdentalcare.com: did not receive HSTS header
 abcdobebe.com: max-age too low: 0
 abchelp.net: did not receive HSTS header
@@ -2823,16 +2866,17 @@ access-sofia.org: did not receive HSTS h
 accommodation-berry.com.au: max-age too low: 300
 accountradar.com: max-age too low: 86400
 accounts-p.com: could not connect to host
 acgmoon.org: did not receive HSTS header
 acheirj.com.br: could not connect to host
 acheritage.co.uk: did not receive HSTS header
 acisonline.net: did not receive HSTS header
 acoffeeshops.com: could not connect to host
+acourse.io: did not receive HSTS header
 acr.im: could not connect to host
 acrepairdrippingsprings.com: could not connect to host
 acritelli.com: did not receive HSTS header
 acslimited.co.uk: did not receive HSTS header
 activateplay.com: max-age too low: 86400
 active-escape.com: did not receive HSTS header
 activeclearweb.com: could not connect to host
 activeweb.top: could not connect to host
@@ -2998,17 +3042,16 @@ alphabuild.io: could not connect to host
 alphagamers.net: did not receive HSTS header
 alphalabs.xyz: could not connect to host
 als-hardware.co.za: did not receive HSTS header
 alspolska.pl: max-age too low: 2592000
 alt33c3.org: could not connect to host
 altailife.ru: did not receive HSTS header
 altamarea.se: could not connect to host
 alteqnia.com: could not connect to host
-altered.network: could not connect to host
 altfire.ca: could not connect to host
 altmv.com: max-age too low: 7776000
 aluminium-scaffolding.co.uk: could not connect to host
 alunjam.es: did not receive HSTS header
 alusta.co: could not connect to host
 am8888.top: could not connect to host
 amandaonishi.com: could not connect to host
 amavis.org: did not receive HSTS header
@@ -3091,16 +3134,17 @@ ankaraprofesyonelnakliyat.com: did not r
 ankaraprofesyonelnakliyat.com.tr: did not receive HSTS header
 ankarayilmaznakliyat.com: did not receive HSTS header
 ankarayucelnakliyat.com: did not receive HSTS header
 annabellaw.com: did not receive HSTS header
 annahmeschluss.de: did not receive HSTS header
 annarbor.group: did not receive HSTS header
 annsbouncycastles.com: did not receive HSTS header
 anomaly.ws: did not receive HSTS header
+anonboards.com: did not receive HSTS header
 anonymo.co.uk: could not connect to host
 anonymo.uk: could not connect to host
 anonymousstatecollegelulzsec.com: could not connect to host
 anook.com: max-age too low: 0
 ansdell.info: could not connect to host
 anshuman-chatterjee.com: did not receive HSTS header
 ansibeast.net: could not connect to host
 anstoncs.com.au: max-age too low: 86400
@@ -3195,28 +3239,28 @@ aroundme.org: did not receive HSTS heade
 arpa.ph: did not receive HSTS header
 arpr.co: did not receive HSTS header
 arrayify.com: could not connect to host
 arrow-cloud.nl: could not connect to host
 arrowfunction.com: could not connect to host
 ars-design.net: could not connect to host
 art2web.net: could not connect to host
 artartefatos.com.br: could not connect to host
+artbytik.ru: did not receive HSTS header
 artegusto.ru: did not receive HSTS header
 arterienundvenen.ch: did not receive HSTS header
 artesupra.com: did not receive HSTS header
 arthan.me: could not connect to host
 artifex21.com: could not connect to host
 artifex21.fr: could not connect to host
 artiming.com: could not connect to host
 artisavotins.com: could not connect to host
 artisphere.ch: did not receive HSTS header
 artistnetwork.nl: did not receive HSTS header
 artsinthevalley.net.au: did not receive HSTS header
-arturkohut.com: did not receive HSTS header
 artyland.ru: did not receive HSTS header
 arvamus.eu: could not connect to host
 arzaroth.com: did not receive HSTS header
 as.se: could not connect to host
 as9178.net: could not connect to host
 asahikoji.net: could not connect to host
 asasuou.pw: could not connect to host
 asc16.com: could not connect to host
@@ -3314,17 +3358,16 @@ avantmfg.com: did not receive HSTS heade
 avastantivirus.ro: did not receive HSTS header
 avec-ou-sans-ordonnance.fr: could not connect to host
 aveling-adventure.co.uk: did not receive HSTS header
 avepol.cz: did not receive HSTS header
 avepol.eu: did not receive HSTS header
 aviacao.pt: did not receive HSTS header
 avidcruiser.com: did not receive HSTS header
 aviodeals.com: could not connect to host
-avqueen.cn: could not connect to host
 avtosept.by: did not receive HSTS header
 avus-automobile.com: did not receive HSTS header
 awanderlustadventure.com: did not receive HSTS header
 awg-mode.de: did not receive HSTS header
 aww.moe: did not receive HSTS header
 axado.com.br: did not receive HSTS header
 axelchv.fr: did not receive HSTS header
 axeny.com: did not receive HSTS header
@@ -3453,17 +3496,17 @@ bedeta.de: could not connect to host
 bedreid.dk: did not receive HSTS header
 bedrijvenadministratie.nl: could not connect to host
 beerboutique.com.br: could not connect to host
 beetleroadstories.com: could not connect to host
 befundup.com: could not connect to host
 beginwp.top: did not receive HSTS header
 behere.be: could not connect to host
 beholdthehurricane.com: could not connect to host
-beier.io: could not connect to host
+beier.io: did not receive HSTS header
 beikeil.de: max-age too low: 86400
 belairsewvac.com: could not connect to host
 belewpictures.com: could not connect to host
 belgien.guide: could not connect to host
 belize-firmengruendung.com: could not connect to host
 belliash.eu.org: could not connect to host
 belltower.io: could not connect to host
 belmontprom.com: could not connect to host
@@ -3568,16 +3611,17 @@ bioespuna.eu: did not receive HSTS heade
 biofam.ru: did not receive HSTS header
 bioknowme.com: did not receive HSTS header
 bionicspirit.com: could not connect to host
 biophysik-ssl.de: did not receive HSTS header
 birgitandmerlin.com: did not receive HSTS header
 birkman.com: could not connect to host
 bismarck.moe: did not receive HSTS header
 bisterfeldt.com: could not connect to host
+bistrocean.com: did not receive HSTS header
 bitbit.org: did not receive HSTS header
 bitbr.net: did not receive HSTS header
 bitcantor.com: did not receive HSTS header
 bitchan.it: could not connect to host
 bitcoinhk.org: did not receive HSTS header
 bitcoinprivacy.net: did not receive HSTS header
 bitcoinworld.me: did not receive HSTS header
 bitconcepts.co.uk: could not connect to host
@@ -3908,17 +3952,17 @@ capeyorkfire.com.au: could not connect t
 capogna.com: did not receive HSTS header
 capsogusto.com: did not receive HSTS header
 captchatheprize.com: could not connect to host
 captianseb.de: could not connect to host
 captivatedbytabrett.com: could not connect to host
 car-navi.ph: did not receive HSTS header
 carano-service.de: did not receive HSTS header
 caraudio69.cz: could not connect to host
-carboneselectricosnettosl.info: did not receive HSTS header
+carboneselectricosnettosl.info: max-age too low: 0
 card-toka.jp: did not receive HSTS header
 cardoni.net: did not receive HSTS header
 cardstream.com: did not receive HSTS header
 cardurl.com: did not receive HSTS header
 careerstuds.com: could not connect to host
 caringladies.org: could not connect to host
 carlo.mx: did not receive HSTS header
 carlolly.co.uk: could not connect to host
@@ -3944,17 +3988,17 @@ casinostest.com: could not connect to ho
 casioshop.eu: did not receive HSTS header
 casjay.cloud: did not receive HSTS header
 casovi.cf: could not connect to host
 castagnonavocats.com: did not receive HSTS header
 cata.ga: could not connect to host
 catalin.pw: could not connect to host
 catarsisvr.com: could not connect to host
 catchers.cc: did not receive HSTS header
-catinmay.com: did not receive HSTS header
+catinmay.com: could not connect to host
 catnapstudios.com: could not connect to host
 cavaleria.ro: did not receive HSTS header
 caveclan.org: did not receive HSTS header
 cavedevs.de: could not connect to host
 cavedroid.xyz: could not connect to host
 cavern.tv: did not receive HSTS header
 cayafashion.de: did not receive HSTS header
 cayounglab.co.jp: did not receive HSTS header
@@ -3987,18 +4031,19 @@ cerize.love: could not connect to host
 cernega.ro: did not receive HSTS header
 cert.se: max-age too low: 2628001
 certifi.io: could not connect to host
 certmgr.org: could not connect to host
 cesal.net: could not connect to host
 cesidianroot.eu: could not connect to host
 cevrimici.com: could not connect to host
 cfcnexus.org: could not connect to host
-cfcproperties.com: could not connect to host
+cfcproperties.com: did not receive HSTS header
 cfetengineering.com: could not connect to host
+cfo.gov: did not receive HSTS header
 cfoitplaybook.com: could not connect to host
 cganx.org: could not connect to host
 cgerstner.eu: did not receive HSTS header
 cgsshelper.tk: could not connect to host
 chadklass.com: could not connect to host
 chahub.com: could not connect to host
 chainmonitor.com: could not connect to host
 champ.dog: did not receive HSTS header
@@ -4014,17 +4059,16 @@ charitystreet.co.uk: could not connect t
 charliemcneive.com: did not receive HSTS header
 charlipopkids.com.au: could not connect to host
 charnleyhouse.co.uk: did not receive HSTS header
 charp.eu: could not connect to host
 chartstoffarm.de: max-age too low: 10
 chaska.co.za: did not receive HSTS header
 chat-porc.eu: did not receive HSTS header
 chatbot.me: did not receive HSTS header
-chatbots.systems: did not receive HSTS header
 chateauconstellation.ch: did not receive HSTS header
 chatup.cf: could not connect to host
 chaulootz.com: did not receive HSTS header
 chcemvediet.sk: max-age too low: 1555200
 cheapdns.org: could not connect to host
 cheazey.net: did not receive HSTS header
 chebedara.com: could not connect to host
 cheekylittlerascals.co.uk: did not receive HSTS header
@@ -4113,17 +4157,17 @@ classicsandexotics.com: could not connec
 classicshop.ua: did not receive HSTS header
 classicspublishing.com: could not connect to host
 classifiedssa.co.za: could not connect to host
 clcleaningco.com: could not connect to host
 cleanexperts.co.uk: could not connect to host
 cleaningsquad.ca: did not receive HSTS header
 cleanmta.com: could not connect to host
 clearc.tk: could not connect to host
-clearsky.me: could not connect to host
+clearsky.me: did not receive HSTS header
 clerkendweller.uk: could not connect to host
 clickandgo.com: did not receive HSTS header
 clickandshoot.nl: did not receive HSTS header
 clickclickphish.com: did not receive HSTS header
 clickgram.biz: could not connect to host
 clicks.co.za: max-age too low: 1800
 clicn.bio: could not connect to host
 clicnbio.com: could not connect to host
@@ -4267,26 +4311,27 @@ connectfss.com: could not connect to hos
 connectingconcepts.com: did not receive HSTS header
 conrail.blue: did not receive HSTS header
 consciousandglamorous.com: could not connect to host
 consciousbrand.org.au: could not connect to host
 consciousbranding.org.au: could not connect to host
 consciousbrands.net.au: could not connect to host
 console.python.org: did not receive HSTS header
 console.support: did not receive HSTS header
-consultorcr.net: did not receive HSTS header
+consultorcr.net: could not connect to host
+consumerfiles.com: did not receive HSTS header
 contactbig.com: did not receive HSTS header
 contaimo.com: did not receive HSTS header
 container-lion.com: did not receive HSTS header
 containerstatistics.com: could not connect to host
 contarkos.xyz: could not connect to host
 content-design.de: did not receive HSTS header
 continuumgaming.com: could not connect to host
 controlcenter.gigahost.dk: did not receive HSTS header
-controleer-maar-een-ander.nl: did not receive HSTS header
+controleer-maar-een-ander.nl: could not connect to host
 convergemagazine.com: did not receive HSTS header
 convert.zone: did not receive HSTS header
 cooink.net: could not connect to host
 coolaj86.com: did not receive HSTS header
 coolbutbroken.com: did not receive HSTS header
 coolchevy.org.ua: did not receive HSTS header
 coole-meister.de: could not connect to host
 coonelnel.net: did not receive HSTS header
@@ -4541,17 +4586,16 @@ dcbouncycastles.co.uk: did not receive H
 dccode.gov: could not connect to host
 dccoffeeproducts.com: did not receive HSTS header
 dccraft.net: could not connect to host
 dctxf.com: did not receive HSTS header
 dcuofriends.net: could not connect to host
 dcurt.is: did not receive HSTS header
 dcw.io: did not receive HSTS header
 ddatsh.com: did not receive HSTS header
-ddepot.us: did not receive HSTS header
 deadsoul.net: max-age too low: 0
 debank.tv: did not receive HSTS header
 debatch.se: could not connect to host
 debian-vhost.de: could not connect to host
 debiton.dk: could not connect to host
 debtkit.co.uk: did not receive HSTS header
 debtprotectionreporting.com: did not receive HSTS header
 decafu.co: could not connect to host
@@ -4635,17 +4679,16 @@ devistravaux.org: did not receive HSTS h
 devlux.ch: did not receive HSTS header
 devmsg.com: did not receive HSTS header
 devnsec.com: could not connect to host
 devnull.team: could not connect to host
 devopps.me: could not connect to host
 devopsconnected.com: could not connect to host
 devtub.com: did not receive HSTS header
 devuan.org: did not receive HSTS header
-dewebwerf.nl: did not receive HSTS header
 dewin.io: could not connect to host
 dfnet.ml: did not receive HSTS header
 dfrance.com.br: did not receive HSTS header
 dfviana.com.br: max-age too low: 2592000
 dhaynes.xyz: max-age too low: 2592000
 dhpcs.com: did not receive HSTS header
 dhpiggott.net: did not receive HSTS header
 diablotine.rocks: could not connect to host
@@ -4664,16 +4707,17 @@ diewebstube.de: could not connect to hos
 diezel.com: could not connect to host
 diferenca.com: did not receive HSTS header
 diggable.co: max-age too low: 2592000
 digired.xyz: could not connect to host
 digitalbank.kz: could not connect to host
 digitalcraftmarketing.co.uk: did not receive HSTS header
 digitaldaddy.net: could not connect to host
 digitalero.rip: did not receive HSTS header
+digitalhurricane.io: did not receive HSTS header
 digitalimpostor.co.uk: could not connect to host
 digitaljungle.net: could not connect to host
 digitallocker.com: did not receive HSTS header
 digitalnonplus.com: could not connect to host
 digitalquery.com: did not receive HSTS header
 digitalriver.tk: did not receive HSTS header
 digitalskillswap.com: could not connect to host
 digiworks.se: did not receive HSTS header
@@ -4863,16 +4907,17 @@ dudesunderwear.com.br: could not connect
 duelysthub.com: could not connect to host
 dukec.me: did not receive HSTS header
 dullsir.com: did not receive HSTS header
 dune.io: did not receive HSTS header
 dunea.nl: did not receive HSTS header
 duole30.com: did not receive HSTS header
 duongpho.com: did not receive HSTS header
 duskopy.top: could not connect to host
+dutchessuganda.com: did not receive HSTS header
 dutchrank.com: did not receive HSTS header
 duuu.ch: could not connect to host
 duyao.de: max-age too low: 86400
 dv189.com: did not receive HSTS header
 dycem-ns.com: did not receive HSTS header
 dycontrol.de: could not connect to host
 dylanscott.com.au: did not receive HSTS header
 dymersion.com: did not receive HSTS header
@@ -4891,16 +4936,17 @@ e191.com: did not receive HSTS header
 e30gruppe.com: did not receive HSTS header
 e3amn2l.com: could not connect to host
 e3kids.com: did not receive HSTS header
 e505.net: did not receive HSTS header
 eagle-aluminum.com: did not receive HSTS header
 eam-gmbh.com: did not receive HSTS header
 earga.sm: could not connect to host
 earlybirdsnacks.com: could not connect to host
+earmarks.gov: did not receive HSTS header
 earthrise16.com: could not connect to host
 easthokkaido-5airport.jp: did not receive HSTS header
 easychiller.org: could not connect to host
 easykonto.de: could not connect to host
 easyplane.it: did not receive HSTS header
 easysimplecrm.com: did not receive HSTS header
 eatvisor.co.uk: could not connect to host
 eauclairecommerce.com: could not connect to host
@@ -5192,17 +5238,17 @@ everygayporn.xyz: did not receive HSTS h
 everylab.org: could not connect to host
 everything.place: did not receive HSTS header
 eveseat.net: could not connect to host
 evi.be: did not receive HSTS header
 evilnerd.de: did not receive HSTS header
 evilsay.com: could not connect to host
 evin.ml: could not connect to host
 evites.me: could not connect to host
-evoludis.net: did not receive HSTS header
+evoludis.net: could not connect to host
 evomon.com: could not connect to host
 evossd.tk: could not connect to host
 evowl.com: could not connect to host
 ewallet-optimizer.com: did not receive HSTS header
 ewex.org: could not connect to host
 excelgum.ca: did not receive HSTS header
 exfiles.cz: did not receive HSTS header
 exgravitus.com: could not connect to host
@@ -5316,16 +5362,17 @@ fegans.org.uk: did not receive HSTS head
 feitobrasilcosmeticos.com.br: did not receive HSTS header
 feliwyn.fr: did not receive HSTS header
 felixrr.pro: could not connect to host
 femaledom.xyz: could not connect to host
 feminists.co: could not connect to host
 fenno.net: could not connect to host
 fensdorf.de: did not receive HSTS header
 fenteo.com: could not connect to host
+feragon.net: did not receive HSTS header
 feriahuamantla.com: could not connect to host
 fernangp.com: did not receive HSTS header
 fernseher-kauf.de: could not connect to host
 ferrolatino.com: could not connect to host
 feschiyan.com: did not receive HSTS header
 festember.com: did not receive HSTS header
 festrip.com: could not connect to host
 fettbrot.tk: did not receive HSTS header
@@ -5338,16 +5385,17 @@ fiendishmasterplan.com: did not receive 
 fiftyshadesofluca.ml: could not connect to host
 fig.co: did not receive HSTS header
 fightr.co: could not connect to host
 fiksel.info: did not receive HSTS header
 fikt.space: could not connect to host
 filebox.moe: could not connect to host
 filemeal.com: did not receive HSTS header
 filey.co.uk: did not receive HSTS header
+filidorwiese.nl: did not receive HSTS header
 filmesubtitrate2017.online: could not connect to host
 filo.xyz: did not receive HSTS header
 filoitoupediou.gr: did not receive HSTS header
 finalgear.com: did not receive HSTS header
 finalvpn.com: could not connect to host
 financieringsportaal.nl: did not receive HSTS header
 finanzkontor.net: could not connect to host
 findigo.fish: could not connect to host
@@ -5620,16 +5668,17 @@ gameink.net: max-age too low: 0
 gamek.es: could not connect to host
 gamenected.com: could not connect to host
 gamenected.de: could not connect to host
 gamepad.vg: could not connect to host
 gamepader.com: could not connect to host
 gameparade.de: could not connect to host
 gameparagon.info: could not connect to host
 gamepiece.com: could not connect to host
+gamercredo.net: max-age too low: 0
 gamerpoets.com: did not receive HSTS header
 gamers-life.fr: could not connect to host
 gamerslair.org: did not receive HSTS header
 gamerz-point.de: could not connect to host
 gamesdepartment.co.uk: could not connect to host
 gameserver-sponsor.de: did not receive HSTS header
 gamesurferapp.com: could not connect to host
 gamingmedia.eu: did not receive HSTS header
@@ -5650,17 +5699,16 @@ gchp.ie: did not receive HSTS header
 gdegem.org: did not receive HSTS header
 gebn.co.uk: did not receive HSTS header
 gebn.uk: could not connect to host
 gedankenbude.info: could not connect to host
 geekbaba.com: could not connect to host
 geekcast.co.uk: did not receive HSTS header
 geekmind.org: max-age too low: 172800
 geeks.lgbt: could not connect to host
-geeks.one: did not receive HSTS header
 geeky.software: could not connect to host
 geemo.top: could not connect to host
 geli-graphics.com: did not receive HSTS header
 gemsoftheworld.org: could not connect to host
 gemuplay.com: could not connect to host
 genesischangelog.com: did not receive HSTS header
 genneve.com: did not receive HSTS header
 genshiken.org: could not connect to host
@@ -5762,27 +5810,28 @@ globalexpert.co.nz: could not connect to
 globalinsights.xyz: could not connect to host
 globalittech.com: could not connect to host
 globalmusic.ga: could not connect to host
 globalsites.nl: did not receive HSTS header
 glotter.com: did not receive HSTS header
 gloucesterphotographer.com: did not receive HSTS header
 glubbforum.de: did not receive HSTS header
 glws.org: did not receive HSTS header
+gm-assicurazioni.it: did not receive HSTS header
 gmat.ovh: could not connect to host
 gmoes.at: could not connect to host
 go.ax: did not receive HSTS header
 go2sh.de: did not receive HSTS header
 go4it.solutions: did not receive HSTS header
 goabonga.com: could not connect to host
 goalsetup.com: did not receive HSTS header
 goaltree.ch: did not receive HSTS header
 goarmy.eu: could not connect to host
 goat.chat: did not receive HSTS header
-goat.xyz: did not receive HSTS header
+goat.xyz: could not connect to host
 goben.ch: could not connect to host
 goblins.net: did not receive HSTS header
 goedeke.ml: could not connect to host
 goerner.me: did not receive HSTS header
 goge.site: could not connect to host
 gogenenglish.com: could not connect to host
 gogetssl.com: did not receive HSTS header
 goggs.eu: could not connect to host
@@ -5831,17 +5880,17 @@ gpo.gov: did not receive HSTS header
 gpstuner.com: did not receive HSTS header
 graavaapi.elasticbeanstalk.com: could not connect to host
 gracebaking.com: max-age too low: 86400
 gracechurchpc.net: max-age too low: 2592000
 gracesofgrief.com: could not connect to host
 grachtenpandverkopen.nl: could not connect to host
 grafitec.ru: did not receive HSTS header
 grana.com: did not receive HSTS header
-grandefratellonews.com: did not receive HSTS header
+grandefratellonews.com: could not connect to host
 grandlinecsk.ru: did not receive HSTS header
 grandmascookieblog.com: did not receive HSTS header
 grantedby.me: max-age too low: 0
 graph.no: did not receive HSTS header
 graphsearchengine.com: could not connect to host
 gratis-app.com: did not receive HSTS header
 gravitation.pro: did not receive HSTS header
 gravito.nl: did not receive HSTS header
@@ -5946,18 +5995,20 @@ h-og.com: could not connect to host
 h-rickroll-n.pw: could not connect to host
 h2check.org: did not receive HSTS header
 haarkliniek.com: did not receive HSTS header
 habbo.life: could not connect to host
 habbotalk.nl: could not connect to host
 hablemosdetecnologia.com.ve: could not connect to host
 hac30.com: could not connect to host
 hack.li: could not connect to host
+hackanders.com: did not receive HSTS header
 hacker8.cn: did not receive HSTS header
 hackercat.ninja: did not receive HSTS header
+hackerco.com: did not receive HSTS header
 hackerforever.com: could not connect to host
 hackerone-ext-adroll.com: could not connect to host
 hackerspace-ntnu.no: did not receive HSTS header
 hackest.org: did not receive HSTS header
 hackit.im: could not connect to host
 hackroyale.xyz: could not connect to host
 hacksnack.io: could not connect to host
 hadaf.pro: could not connect to host
@@ -6053,16 +6104,17 @@ hbvip05.com: could not connect to host
 hbvip06.com: could not connect to host
 hbvip07.com: could not connect to host
 hbvip08.com: could not connect to host
 hcie.pl: could not connect to host
 hcr.io: did not receive HSTS header
 hcs-company.com: did not receive HSTS header
 hcs-company.nl: did not receive HSTS header
 hdrboundless.com: could not connect to host
+hdritalyphotos.com: did not receive HSTS header
 hdserver.info: did not receive HSTS header
 hdsmigrationtool.com: could not connect to host
 hduin.xyz: could not connect to host
 head-shop.lt: could not connect to host
 head-shop.lv: could not connect to host
 headmates.xyz: could not connect to host
 healthjoy.com: did not receive HSTS header
 healthycod.in: could not connect to host
@@ -6084,16 +6136,17 @@ helgakristoffer.com: could not connect t
 helgakristoffer.wedding: could not connect to host
 helixflight.com: did not receive HSTS header
 hellenicaward.com: did not receive HSTS header
 helloworldhost.com: did not receive HSTS header
 hellscanyonraft.com: did not receive HSTS header
 helpadmin.net: could not connect to host
 helpium.de: could not connect to host
 helpmebuild.com: did not receive HSTS header
+helpmij.cf: did not receive HSTS header
 helpwithmybank.gov: did not receive HSTS header
 hemlockhillscabinrentals.com: did not receive HSTS header
 hencagon.com: could not connect to host
 hendersonrealestatepros.com: did not receive HSTS header
 hendric.us: did not receive HSTS header
 hepteract.us: did not receive HSTS header
 herbertmouwen.nl: could not connect to host
 here4funpartysolutions.ie: did not receive HSTS header
@@ -6230,17 +6283,16 @@ hsir.me: could not connect to host
 hsts.com.br: could not connect to host
 hsts.date: could not connect to host
 hszhyy120.com: could not connect to host
 html-lab.tk: could not connect to host
 http418.xyz: could not connect to host
 httphacker.com: could not connect to host
 https.ps: could not connect to host
 httpstatuscode418.xyz: could not connect to host
-huangh.com: could not connect to host
 huarongdao.com: did not receive HSTS header
 hubert.systems: did not receive HSTS header
 hugocollignon.fr: could not connect to host
 humanesources.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 humblefinances.com: did not receive HSTS header
 humeurs.net: could not connect to host
 humortuga.pt: could not connect to host
 hump.dk: could not connect to host
@@ -6382,16 +6434,17 @@ imperialonlinestore.com: did not receive
 imperialwebsolutions.com: did not receive HSTS header
 imu.li: did not receive HSTS header
 imusic.dk: did not receive HSTS header
 inb4.us: could not connect to host
 inbox.li: did not receive HSTS header
 incendiary-arts.com: could not connect to host
 inche-ali.com: did not receive HSTS header
 inchomatic.com: did not receive HSTS header
+inderagamono.net: did not receive HSTS header
 indiecert.net: could not connect to host
 indiemods.com: could not connect to host
 indien.guide: could not connect to host
 indilens.com: did not receive HSTS header
 indochina.io: did not receive HSTS header
 indoorskiassen.nl: did not receive HSTS header
 indredouglas.me: could not connect to host
 industrybazar.com: max-age too low: 2592000
@@ -6527,17 +6580,16 @@ irugs.com.sg: did not receive HSTS heade
 irukandjilabs.com: could not connect to host
 irvinepa.org: max-age too low: 10540800
 is-a-furry.org: did not receive HSTS header
 ischool.co.jp: did not receive HSTS header
 isdf.me: could not connect to host
 isef-eg.com: did not receive HSTS header
 iseulde.com: did not receive HSTS header
 ishadowsocks.ltd: could not connect to host
-ishangirdhar.com: could not connect to host
 ishillaryclintoninprisonyet.com: could not connect to host
 isitamor.pm: could not connect to host
 iskai.net: did not receive HSTS header
 iskaz.rs: did not receive HSTS header
 islandzero.net: did not receive HSTS header
 islief.com: did not receive HSTS header
 ismetroonfiretoday.com: could not connect to host
 isoface33.fr: did not receive HSTS header
@@ -6545,16 +6597,17 @@ isogen5.com: could not connect to host
 isogram.nl: did not receive HSTS header
 issala.org: did not receive HSTS header
 istanbul.systems: did not receive HSTS header
 istanbultravelguide.info: could not connect to host
 istaspirtslietas.lv: did not receive HSTS header
 it-cave.com: could not connect to host
 it-go.net: did not receive HSTS header
 it-schwerin.de: could not connect to host
+itdashboard.gov: did not receive HSTS header
 itechgeek.com: max-age too low: 0
 items.lv: did not receive HSTS header
 itemton.com: could not connect to host
 itfaq.nl: did not receive HSTS header
 itfensi.net: did not receive HSTS header
 ithakama.com: did not receive HSTS header
 ithakama.cz: did not receive HSTS header
 itinsight.hu: did not receive HSTS header
@@ -6625,17 +6678,16 @@ jami.am: did not receive HSTS header
 jamourtney.com: could not connect to host
 jamyeprice.com: did not receive HSTS header
 jan-cermak.cz: did not receive HSTS header
 jan-daniels.de: did not receive HSTS header
 jan27.org: did not receive HSTS header
 janario.me: could not connect to host
 janbrodda.de: max-age too low: 2592000
 jangho.me: could not connect to host
-janiat.com: did not receive HSTS header
 janking.de: could not connect to host
 janmachynka.cz: could not connect to host
 janmg.com: did not receive HSTS header
 jannyrijneveld.nl: did not receive HSTS header
 janus-engineering.de: did not receive HSTS header
 jap-nope.de: did not receive HSTS header
 japaneseemoticons.org: did not receive HSTS header
 japanesenames.biz: did not receive HSTS header
@@ -6718,28 +6770,26 @@ jimas.eu: did not receive HSTS header
 jimenacocina.com: did not receive HSTS header
 jimgao.tk: did not receive HSTS header
 jimmehcai.com: could not connect to host
 jimmycai.org: could not connect to host
 jimmycn.com: could not connect to host
 jingyuesi.com: could not connect to host
 jinmaguoji.com: could not connect to host
 jinshavip.com: could not connect to host
-jiosongs.com: did not receive HSTS header
 jira.com: did not receive HSTS header
 jirav.io: could not connect to host
 jisaku-homepage.com: did not receive HSTS header
 jitsi.org: did not receive HSTS header
 jiyue.com: did not receive HSTS header
 jjf.org.au: did not receive HSTS header
 jka.io: did not receive HSTS header
 jkb.pics: could not connect to host
 jkbuster.com: could not connect to host
 jko.works: could not connect to host
-jldp.org: did not receive HSTS header
 jm06.com: did not receive HSTS header
 jm22.com: did not receive HSTS header
 jmdekker.it: could not connect to host
 jn1.me: did not receive HSTS header
 joakimalgroy.com: could not connect to host
 jobflyapp.com: could not connect to host
 jobshq.com: could not connect to host
 jobss.co.uk: could not connect to host
@@ -6754,17 +6804,16 @@ johngaltgroup.com: did not receive HSTS 
 johnhgaunt.com: did not receive HSTS header
 johnrom.com: did not receive HSTS header
 johnverkerk.com: could not connect to host
 jointoweb.com: could not connect to host
 jonas-keidel.de: did not receive HSTS header
 jonasgroth.se: did not receive HSTS header
 jonathan.ir: could not connect to host
 jonathanreyes.com: did not receive HSTS header
-jondarby.com: did not receive HSTS header
 jongha.me: could not connect to host
 jonirrings.com: did not receive HSTS header
 jonn.me: could not connect to host
 jonnichols.info: could not connect to host
 jonsno.ws: could not connect to host
 joostbovee.nl: could not connect to host
 jordanstrustcompany.cn: could not connect to host
 jordanstrustcompany.ru: could not connect to host
@@ -6871,17 +6920,16 @@ kaomojis.net: did not receive HSTS heade
 kaplatz.is: could not connect to host
 kapucini.si: max-age too low: 0
 kaputt.com: did not receive HSTS header
 kapverde.guide: could not connect to host
 karaoketonight.com: could not connect to host
 karloskontana.tk: could not connect to host
 karting34.com: did not receive HSTS header
 kashdash.ca: could not connect to host
-kasilag.me: did not receive HSTS header
 katalogakci.cz: did not receive HSTS header
 katiaetdavid.fr: could not connect to host
 katoju.co.jp: could not connect to host
 katproxy.al: could not connect to host
 katproxy.online: could not connect to host
 katproxy.site: could not connect to host
 katproxy.tech: could not connect to host
 katproxy.top: could not connect to host
@@ -6918,17 +6966,17 @@ kernl.us: did not receive HSTS header
 keskeces.com: did not receive HSTS header
 kevinbusse.de: did not receive HSTS header
 kevinroebert.de: did not receive HSTS header
 keymaster.lookout.com: did not receive HSTS header
 kfbrussels.be: could not connect to host
 kg-rating.com: could not connect to host
 kgxtech.com: max-age too low: 2592000
 khaganat.net: did not receive HSTS header
-ki-on.net: did not receive HSTS header
+ki-on.net: could not connect to host
 kialo.com: did not receive HSTS header
 kickass-proxies.org: could not connect to host
 kickass.al: could not connect to host
 kickasstorrents.gq: did not receive HSTS header
 kickerplaza.nl: did not receive HSTS header
 kickstart.com.pk: did not receive HSTS header
 kid-dachau.de: did not receive HSTS header
 kidkat.cn: could not connect to host
@@ -7037,17 +7085,16 @@ koukni.cz: did not receive HSTS header
 kourpe.online: could not connect to host
 kousaku.jp: did not receive HSTS header
 kpdyer.com: did not receive HSTS header
 kpebetka.net: did not receive HSTS header
 kpn-dnssec.com: did not receive HSTS header
 kprog.net: could not connect to host
 kraftfleisch.de: did not receive HSTS header
 kraigwalker.com: could not connect to host
-kraken.io: did not receive HSTS header
 kralik.xyz: could not connect to host
 kravelindo-adventure.com: could not connect to host
 krayx.com: could not connect to host
 kream.io: did not receive HSTS header
 kreavis.com: did not receive HSTS header
 kreb.io: could not connect to host
 kredietpaspoort.nl: did not receive HSTS header
 kredite.sale: could not connect to host
@@ -7411,17 +7458,16 @@ ltechnologygroup.com: did not receive HS
 ltu.social: could not connect to host
 lubomirkazakov.com: did not receive HSTS header
 lucas-garte.com: did not receive HSTS header
 lucaterzini.com: could not connect to host
 luclu7.pw: could not connect to host
 lucyparsonslabs.com: did not receive HSTS header
 ludwig.click: did not receive HSTS header
 lufthansaexperts.com: max-age too low: 2592000
-lufu.io: did not receive HSTS header
 luis-checa.com: could not connect to host
 lukaszdolan.com: did not receive HSTS header
 lukeng.me: could not connect to host
 lukonet.com: did not receive HSTS header
 luludapomerania.com: could not connect to host
 lumd.me: could not connect to host
 lumi.do: did not receive HSTS header
 lunarift.com: could not connect to host
@@ -7646,16 +7692,17 @@ mattsvensson.com: max-age too low: 0
 matty.digital: did not receive HSTS header
 maultrom.ml: could not connect to host
 maupiknik.com: did not receive HSTS header
 maur.cz: did not receive HSTS header
 maurus-automation.de: did not receive HSTS header
 mausi.co: did not receive HSTS header
 mavisang.cf: could not connect to host
 mawe.red: could not connect to host
+max.gov: did not receive HSTS header
 maxima.at: did not receive HSTS header
 maximov.space: could not connect to host
 maxmachine.ind.br: could not connect to host
 maxserver.com: did not receive HSTS header
 maya.mg: could not connect to host
 mazyun.com: max-age too low: 3600
 mazz-tech.com: could not connect to host
 mbconsultancy.nu: did not receive HSTS header
@@ -7681,17 +7728,16 @@ mecenat-cassous.com: did not receive HST
 mechmk1.me: did not receive HSTS header
 medallia.io: could not connect to host
 media-access.online: did not receive HSTS header
 mediacru.sh: could not connect to host
 mediafinancelab.org: did not receive HSTS header
 mediamag.am: max-age too low: 0
 mediawikicn.org: could not connect to host
 medienservice-fritz.de: did not receive HSTS header
-medifab.online: did not receive HSTS header
 medirich.co: could not connect to host
 meditek-dv.ru: could not connect to host
 mediterenopmaandag.nl: did not receive HSTS header
 medm-test.com: could not connect to host
 medzinenews.com: did not receive HSTS header
 meedoennoordkop.nl: could not connect to host
 meedoenzaanstad.nl: did not receive HSTS header
 meetfinch.com: could not connect to host
@@ -7942,22 +7988,26 @@ monautoneuve.fr: did not receive HSTS he
 mondar.io: could not connect to host
 mondopoint.com: did not receive HSTS header
 mondwandler.de: could not connect to host
 moneromerchant.com: could not connect to host
 moneycrownmedia.com: could not connect to host
 monika-sokol.de: did not receive HSTS header
 monitaure.io: could not connect to host
 monitman.com: did not receive HSTS header
+monodukuri.cafe: did not receive HSTS header
+monodzukuri.cafe: did not receive HSTS header
 montanacures.org: could not connect to host
 montonicms.com: could not connect to host
 moon.lc: could not connect to host
 moonchart.co.uk: did not receive HSTS header
 moonless.net: could not connect to host
 moonloupe.com: could not connect to host
+moonrhythm.info: did not receive HSTS header
+moonrhythm.io: did not receive HSTS header
 moonysbouncycastles.co.uk: did not receive HSTS header
 moosemanstudios.com: could not connect to host
 moov.is: could not connect to host
 moparisthebest.biz: could not connect to host
 moparisthebest.info: could not connect to host
 moparscape.org: did not receive HSTS header
 mopsuite.club: could not connect to host
 mor.cloud: could not connect to host
@@ -7991,16 +8041,17 @@ moviesabout.net: could not connect to ho
 movio.ga: did not receive HSTS header
 moy-gorod.od.ua: did not receive HSTS header
 mozart-game.cz: could not connect to host
 mozartgame.cz: did not receive HSTS header
 mozoa.net: could not connect to host
 mp3donusturucu.com: did not receive HSTS header
 mp3donusturucu.net: did not receive HSTS header
 mp3juices.is: could not connect to host
+mpintaamalabanna.it: did not receive HSTS header
 mpkossen.com: did not receive HSTS header
 mqas.net: could not connect to host
 mr-hosting.com: could not connect to host
 mrawe.com: could not connect to host
 mrdani.net: could not connect to host
 mrdleisure.co.uk: did not receive HSTS header
 mredsanders.net: did not receive HSTS header
 mrettich.org: did not receive HSTS header
@@ -8406,17 +8457,17 @@ nyphox.net: could not connect to host
 nysepho.pw: could not connect to host
 nysifclaimcentral.com: did not receive HSTS header
 nystart.no: did not receive HSTS header
 nz.search.yahoo.com: max-age too low: 172800
 nzbs.io: could not connect to host
 nzmk.cz: did not receive HSTS header
 nzquakes.maori.nz: could not connect to host
 o-rickroll-y.pw: could not connect to host
-o0o.one: could not connect to host
+o0o.one: did not receive HSTS header
 oasis.mobi: could not connect to host
 oben.pl: did not receive HSTS header
 obscuredfiles.com: could not connect to host
 obsydian.org: could not connect to host
 occasion-impro.com: did not receive HSTS header
 ochaken.cf: could not connect to host
 ocmeulebeke.be: did not receive HSTS header
 ocrami.us: did not receive HSTS header
@@ -8490,16 +8541,17 @@ onioncloud.org: could not connect to hos
 online-casino.eu: did not receive HSTS header
 online-pr.at: did not receive HSTS header
 online-wetten.de: did not receive HSTS header
 onlinebillingform.com: did not receive HSTS header
 onlinecompliance.org: did not receive HSTS header
 onlinedemo.hu: could not connect to host
 onlinedeposit.us: could not connect to host
 onlinekasino.de: did not receive HSTS header
+onlinepokerspelen.be: did not receive HSTS header
 onlinepollsph.com: could not connect to host
 onlineschadestaat.nl: did not receive HSTS header
 onlinespielothek.com: did not receive HSTS header
 onlinewetten.de: could not connect to host
 only-roses.co.uk: did not receive HSTS header
 only-roses.com: max-age too low: 2592000
 onlyshopstation.com: did not receive HSTS header
 onlyzero.net: could not connect to host
@@ -8599,17 +8651,17 @@ ouvirmusica.com.br: did not receive HSTS
 ovenapp.io: did not receive HSTS header
 over25tips.com: did not receive HSTS header
 override.io: could not connect to host
 oversight.io: could not connect to host
 ovuscloud.de: could not connect to host
 ovvy.net: did not receive HSTS header
 owncloud.help: could not connect to host
 ownmovies.fr: could not connect to host
-oxro.co: could not connect to host
+oxro.co: did not receive HSTS header
 oxygaming.com: did not receive HSTS header
 oxygenabsorbers.com: did not receive HSTS header
 oxymc.com: did not receive HSTS header
 oxynux.fr: could not connect to host
 oyste.in: could not connect to host
 ozoz.cc: could not connect to host
 p-rickroll-o.pw: could not connect to host
 p.linode.com: could not connect to host
@@ -8641,30 +8693,29 @@ panama-gbs.com: did not receive HSTS hea
 panamaequity.com: did not receive HSTS header
 panamateakforestry.com: did not receive HSTS header
 panelomix.net: did not receive HSTS header
 panicparts.com: max-age too low: 10540800
 panni.me: could not connect to host
 panoranordic.net: could not connect to host
 pansu.space: could not connect to host
 pants-off.xyz: could not connect to host
-pantsu.cat: did not receive HSTS header
+pantsu.cat: could not connect to host
 papalytics.com: could not connect to host
 papeda.net: could not connect to host
 papelariadante.com.br: could not connect to host
 papercard.co.uk: did not receive HSTS header
 papercrunch.io: could not connect to host
 paperwallets.io: did not receive HSTS header
 papierniak.net: could not connect to host
 papygeek.com: could not connect to host
 parabhairavayoga.com: max-age too low: 0
 paragon.edu: did not receive HSTS header
 parent5446.us: could not connect to host
 parentmail.co.uk: did not receive HSTS header
-parfum-baza.ru: did not receive HSTS header
 paris-cyber.fr: did not receive HSTS header
 parisvox.info: did not receive HSTS header
 parithy.net: could not connect to host
 parkingplus.co.il: could not connect to host
 parkrocker.com: max-age too low: 604800
 parkwithark.com: could not connect to host
 parodybit.net: did not receive HSTS header
 parpaing-paillette.net: could not connect to host
@@ -8706,16 +8757,17 @@ paulyang.cn: did not receive HSTS header
 pavelfojt.cz: did not receive HSTS header
 pavelkahouseforcisco.com: did not receive HSTS header
 paxdei.com.br: could not connect to host
 paxwinkel.nl: did not receive HSTS header
 pay.gigahost.dk: did not receive HSTS header
 payclixpayments.com: did not receive HSTS header
 payfreez.com: could not connect to host
 payload.tech: could not connect to host
+paymentaccuracy.gov: did not receive HSTS header
 payments-reference.org: could not connect to host
 payroll.ch: could not connect to host
 paytwopay.com: could not connect to host
 pbapp.net: did not receive HSTS header
 pbbr.com: did not receive HSTS header
 pbcomp.com.au: did not receive HSTS header
 pbprint.ru: did not receive HSTS header
 pc-nf.de: did not receive HSTS header
@@ -8833,17 +8885,17 @@ piggott.me.uk: did not receive HSTS head
 pilgermaske.org: did not receive HSTS header
 piligrimname.com: could not connect to host
 pillowandpepper.com: did not receive HSTS header
 pilotcrowd.nl: did not receive HSTS header
 pimpmymac.ru: did not receive HSTS header
 pims.global: did not receive HSTS header
 pioche.ovh: did not receive HSTS header
 pippen.io: could not connect to host
-pips.rocks: did not receive HSTS header
+pips.rocks: could not connect to host
 pir9.com: did not receive HSTS header
 pirata.ga: did not receive HSTS header
 piratebit.tech: could not connect to host
 piratedb.com: could not connect to host
 piratedot.com: could not connect to host
 piratelist.online: could not connect to host
 piratenlogin.de: could not connect to host
 pirateproxy.pe: could not connect to host
@@ -8943,17 +8995,17 @@ popkins.ml: could not connect to host
 popupsoftplay.com: did not receive HSTS header
 poris.web.id: could not connect to host
 pornstars.me: did not receive HSTS header
 portalm.tk: could not connect to host
 portalplatform.net: could not connect to host
 portaluniversalista.org: could not connect to host
 poshpak.com: max-age too low: 86400
 postback.io: did not receive HSTS header
-postcodewise.co.uk: could not connect to host
+postcodewise.co.uk: did not receive HSTS header
 postscheduler.org: could not connect to host
 posylka.de: did not receive HSTS header
 potatoheads.net: could not connect to host
 potsky.com: did not receive HSTS header
 pottshome.co.uk: did not receive HSTS header
 pourmesloisirs.com: could not connect to host
 poussinooz.fr: could not connect to host
 povitria.net: could not connect to host
@@ -9064,17 +9116,16 @@ ps-w.ru: did not receive HSTS header
 ps-x.ru: did not receive HSTS header
 pscleaningsolutions.co.uk: could not connect to host
 pshostpk.com: did not receive HSTS header
 psicologia.co.ve: could not connect to host
 psicologoforensebarcelona.com: did not receive HSTS header
 pstudio.me: did not receive HSTS header
 psw.academy: could not connect to host
 psw.consulting: could not connect to host
-psylab.cc: did not receive HSTS header
 ptn.moscow: could not connect to host
 ptonet.com: could not connect to host
 ptrujillo.com: did not receive HSTS header
 pubkey.is: could not connect to host
 publications.qld.gov.au: did not receive HSTS header
 publicidadnovagrass.com.mx: could not connect to host
 publicspeakingcamps.com: could not connect to host
 puentes.info: did not receive HSTS header
@@ -9317,17 +9368,16 @@ report-to.com: did not receive HSTS head
 report-to.io: did not receive HSTS header
 report-uri.io: did not receive HSTS header
 report-url.com: did not receive HSTS header
 report-url.io: did not receive HSTS header
 reported.ly: did not receive HSTS header
 reporturl.com: did not receive HSTS header
 reporturl.io: did not receive HSTS header
 reprolife.co.uk: could not connect to host
-request-trent.com: did not receive HSTS header
 res-rheingau.de: did not receive HSTS header
 res42.com: did not receive HSTS header
 reserve-online.net: did not receive HSTS header
 residentsinsurance.co.uk: did not receive HSTS header
 resl20.servehttp.com: could not connect to host
 respice.xyz: could not connect to host
 restaurace-klokocka.cz: did not receive HSTS header
 restaurant-mangal.ch: did not receive HSTS header
@@ -9348,17 +9398,16 @@ rewardstock.com: max-age too low: 0
 rewopit.net: could not connect to host
 rhapsodhy.hu: could not connect to host
 rhdigital.pro: could not connect to host
 rhering.de: could not connect to host
 rhodosdreef.nl: could not connect to host
 riaucybersolution.net: did not receive HSTS header
 richiemail.net: could not connect to host
 richmondsunlight.com: did not receive HSTS header
-richmtdriver.com: could not connect to host
 richsiciliano.com: could not connect to host
 richterphilipp.com: could not connect to host
 rid-wan.com: could not connect to host
 rideaudiscount.com: did not receive HSTS header
 rideforwade.com: could not connect to host
 rideforwade.net: could not connect to host
 rideforwade.org: could not connect to host
 rideworks.com: did not receive HSTS header
@@ -9477,17 +9526,16 @@ rusadmin.biz: did not receive HSTS heade
 ruska-modra.cz: did not receive HSTS header
 ruskamodra.cz: did not receive HSTS header
 rusl.me: could not connect to host
 russmarshall.com: could not connect to host
 rustfanatic.com: did not receive HSTS header
 ruxit.com: did not receive HSTS header
 rw-solutions.tech: could not connect to host
 rwanderlust.com: did not receive HSTS header
-rxgroup.io: did not receive HSTS header
 rxprep.com: did not receive HSTS header
 rxt.social: could not connect to host
 rxv.cc: could not connect to host
 ryanteck.uk: did not receive HSTS header
 rylin.net: did not receive HSTS header
 ryssland.guide: could not connect to host
 s-d-v.ch: could not connect to host
 s-rickroll-p.pw: could not connect to host
@@ -9520,17 +9568,16 @@ saltedskies.com: could not connect to ho
 saltra.online: could not connect to host
 salvagedfurnitureparlour.com: could not connect to host
 sametovymesic.cz: could not connect to host
 saml2.com: could not connect to host
 sampcup.com: could not connect to host
 sampoznay.ru: did not receive HSTS header
 samraskauskas.com: could not connect to host
 samsen.club: could not connect to host
-samsungmobile.it: did not receive HSTS header
 sanasalud.org: could not connect to host
 sanatfilan.com: did not receive HSTS header
 sandviks.com: did not receive HSTS header
 sanguoxiu.com: could not connect to host
 sanhei.ch: did not receive HSTS header
 sanik.my: did not receive HSTS header
 sanissimo.com.mx: max-age too low: 86400
 sansage.com.br: could not connect to host
@@ -9575,22 +9622,21 @@ saveaward.gov: could not connect to host
 savemoneyonenergy.com: max-age too low: 2592000
 saveyour.biz: could not connect to host
 savisasolutions.co.za: did not receive HSTS header
 savvysuit.com: did not receive HSTS header
 sawamura-rental.com: did not receive HSTS header
 say-hanabi.com: could not connect to host
 sayhanabi.com: could not connect to host
 sazima.ru: did not receive HSTS header
-sbobetfun.com: did not receive HSTS header
+sbobetfun.com: could not connect to host
 sbox-archives.com: could not connect to host
 sby.de: did not receive HSTS header
 sc4le.com: could not connect to host
 scala.click: did not receive HSTS header
-scallywagskids.co.uk: did not receive HSTS header
 scannabi.com: could not connect to host
 schachburg.de: did not receive HSTS header
 schadegarant.net: could not connect to host
 schau-rein.co.at: did not receive HSTS header
 schauer.so: could not connect to host
 schermreparatierotterdam.nl: did not receive HSTS header
 schmitt.ovh: could not connect to host
 schnell-abnehmen.tips: did not receive HSTS header
@@ -9721,17 +9767,17 @@ senseofnumber.co.uk: did not receive HST
 sensiblemn.org: could not connect to host
 sensibus.com: did not receive HSTS header
 seobot.com.au: could not connect to host
 seomobo.com: could not connect to host
 seosanantonioinc.com: did not receive HSTS header
 seowarp.net: did not receive HSTS header
 sep23.ru: did not receive HSTS header
 sepie.gob.es: did not receive HSTS header
-seq.tf: could not connect to host
+seq.tf: did not receive HSTS header
 serathius.ovh: could not connect to host
 serbien.guide: could not connect to host
 serenitycreams.com: did not receive HSTS header
 serfdom.io: did not receive HSTS header
 serized.pw: could not connect to host
 serverangels.co.uk: did not receive HSTS header
 servercode.ca: did not receive HSTS header
 serverdensity.io: did not receive HSTS header
@@ -9760,17 +9806,16 @@ shadow-socks.pro: did not receive HSTS h
 shadowguardian507-irl.tk: did not receive HSTS header
 shadowguardian507.tk: did not receive HSTS header
 shadowmorph.info: did not receive HSTS header
 shadowroket.com: did not receive HSTS header
 shadowshocks.net: could not connect to host
 shadowsocks.gift: did not receive HSTS header
 shadowsocks.net: could not connect to host
 shadowsocks.vc: could not connect to host
-shadowsocks.wiki: did not receive HSTS header
 shadowsocksvpn.com: did not receive HSTS header
 shadowsoks.com: could not connect to host
 shadowsu.info: did not receive HSTS header
 shadowsu.top: did not receive HSTS header
 shagi29.ru: did not receive HSTS header
 shahbeat.com: did not receive HSTS header
 shakebox.de: could not connect to host
 shanesage.com: could not connect to host
@@ -9783,17 +9828,16 @@ sharekey.com: did not receive HSTS heade
 sharepass.pw: could not connect to host
 sharepic.xyz: could not connect to host
 sharesplitter.com: could not connect to host
 sharezen.de: could not connect to host
 sharingcode.com: did not receive HSTS header
 shatorin.com: did not receive HSTS header
 shauncrowley.co.uk: could not connect to host
 shaunwheelhou.se: could not connect to host
-shavegazette.com: did not receive HSTS header
 shawnbsmith.me: did not receive HSTS header
 shawnh.net: could not connect to host
 shellsec.pw: did not receive HSTS header
 shep.co.il: did not receive HSTS header
 sheratan.web.id: could not connect to host
 shereallyheals.com: did not receive HSTS header
 shervik.ga: could not connect to host
 shg-pornographieabhaengigkeit.de: did not receive HSTS header
@@ -10129,32 +10173,33 @@ ssn1.ru: did not receive HSTS header
 sspanda.com: could not connect to host
 ssworld.ga: could not connect to host
 staack.com: could not connect to host
 stabletoken.com: could not connect to host
 stackfiles.io: could not connect to host
 stadjerspasonline.nl: could not connect to host
 stadtbauwerk.at: did not receive HSTS header
 staffjoy.com: did not receive HSTS header
-staffjoystaging.com: did not receive HSTS header
+staffjoystaging.com: could not connect to host
 stahl.xyz: could not connect to host
 stalkerhispano.com: max-age too low: 0
 stalkerteam.pl: did not receive HSTS header
 stalschermer.nl: could not connect to host
 stamparmakarije.me: did not receive HSTS header
 standardssuck.org: did not receive HSTS header
 standingmist.com: did not receive HSTS header
 stannahtrapliften.nl: did not receive HSTS header
 starandshield.com: did not receive HSTS header
 starapple.nl: did not receive HSTS header
 starfeeling.net: could not connect to host
 stargatepartners.com: did not receive HSTS header
 starmusic.ga: could not connect to host
 startuponcloud.com: max-age too low: 2678400
 stash.ai: did not receive HSTS header
+stassi.ch: did not receive HSTS header
 state-sponsored-actors.net: could not connect to host
 statementinsertsforless.com: did not receive HSTS header
 stateofexception.io: could not connect to host
 static.or.at: did not receive HSTS header
 staticanime.net: could not connect to host
 stationaryjourney.com: did not receive HSTS header
 stationcharlie.com: could not connect to host
 stationnementdenuit.ca: did not receive HSTS header
@@ -10163,17 +10208,16 @@ statuschecks.net: could not connect to h
 stavebnice.net: did not receive HSTS header
 stayokhotelscdc-mailing.com: could not connect to host
 stcable.net: did not receive HSTS header
 stcomex.com: did not receive HSTS header
 steampunkrobot.com: did not receive HSTS header
 steelbea.ms: could not connect to host
 steem.io: did not receive HSTS header
 stefanweiser.de: did not receive HSTS header
-steidlewirt.de: did not receive HSTS header
 stepbystep3d.com: did not receive HSTS header
 steph-autoecole.ch: did not receive HSTS header
 stephanierxo.com: did not receive HSTS header
 stephanos.me: could not connect to host
 stephenandburns.com: did not receive HSTS header
 stevechekblain.win: could not connect to host
 stevensheffey.me: could not connect to host
 stevensononthe.net: did not receive HSTS header
@@ -10181,29 +10225,30 @@ stevenz.net: could not connect to host
 stewartremodelingadvantage.com: could not connect to host
 sticklerjs.org: could not connect to host
 stig.io: did not receive HSTS header
 stigroom.com: could not connect to host
 stillblackhat.id: could not connect to host
 stinkytrashhound.com: could not connect to host
 stirlingpoon.net: could not connect to host
 stirlingpoon.xyz: could not connect to host
-stitthappens.com: could not connect to host
+stitthappens.com: did not receive HSTS header
 stkbn.com: could not connect to host
 stkeverneparishcouncil.org.uk: did not receive HSTS header
 stl.news: did not receive HSTS header
 stmbgr.com: could not connect to host
 stn.me.uk: did not receive HSTS header
 stockseyeserum.com: could not connect to host
 stocktrade.de: could not connect to host
 stoffe-monster.de: did not receive HSTS header
 stoick.me: could not connect to host
 stole-my.bike: could not connect to host
 stole-my.tv: could not connect to host
 stonecutterscommunity.com: could not connect to host
+stopbreakupnow.org: did not receive HSTS header
 stopwoodfin.org: could not connect to host
 storbritannien.guide: could not connect to host
 store-host.com: did not receive HSTS header
 storecove.com: did not receive HSTS header
 storeden.com: did not receive HSTS header
 storefrontify.com: did not receive HSTS header
 storiesofhealth.org: did not receive HSTS header
 stormhub.org: could not connect to host
@@ -10253,16 +10298,17 @@ suian.or.jp: max-age too low: 86400
 suite73.org: could not connect to host
 summitbankofkc.com: did not receive HSTS header
 summitmasters.net: did not receive HSTS header
 sumoatm.com: did not receive HSTS header
 sumoscout.de: could not connect to host
 sun-wellness-online.com.vn: did not receive HSTS header
 suncountrymarine.com: did not receive HSTS header
 sundaycooks.com: max-age too low: 2592000
+sunflyer.cn: did not receive HSTS header
 sunlandsg.vn: did not receive HSTS header
 sunnyfruit.ru: could not connect to host
 sunshinepress.org: could not connect to host
 sunyanzi.tk: could not connect to host
 suos.io: could not connect to host
 supcro.com: could not connect to host
 super-erotica.ru: could not connect to host
 super-garciniaslim.com: could not connect to host
@@ -10355,21 +10401,20 @@ tadigitalstore.com: could not connect to
 tafoma.com: did not receive HSTS header
 tageau.com: could not connect to host
 taglondon.org: did not receive HSTS header
 tahakomat.cz: could not connect to host
 tahf.net: did not receive HSTS header
 tailify.com: did not receive HSTS header
 tails.com.ar: did not receive HSTS header
 takumi-s.net: did not receive HSTS header
-talentuar.com: did not receive HSTS header
 tales-of-interia.de: could not connect to host
 talheim-records.ca: could not connect to host
 talkitup.mx: could not connect to host
-talkitup.online: did not receive HSTS header
+talkitup.online: could not connect to host
 talklifestyle.nl: could not connect to host
 tallr.se: could not connect to host
 tallshoe.com: could not connect to host
 tamex.xyz: could not connect to host
 tandarts-haarlem.nl: did not receive HSTS header
 tangel.me: could not connect to host
 tangibilizing.com: could not connect to host
 tangyue.date: did not receive HSTS header
@@ -10397,28 +10442,28 @@ tastyyy.co: could not connect to host
 tatilbus.com: did not receive HSTS header
 tatt.io: could not connect to host
 tattvaayoga.com: did not receive HSTS header
 tauchkater.de: could not connect to host
 tavoittaja.fi: did not receive HSTS header
 tavopica.lt: did not receive HSTS header
 taxaudit.com: did not receive HSTS header
 taxbench.com: could not connect to host
+taxi-24std.de: did not receive HSTS header
 taxsnaps.co.nz: did not receive HSTS header
 tazj.in: did not receive HSTS header
 tazz.in: could not connect to host
 tc-bonito.de: did not receive HSTS header
 tcao.info: could not connect to host
 tcby45.xyz: could not connect to host
 tcdw.net: did not receive HSTS header
 tcl.ath.cx: did not receive HSTS header
 tcomms.org: max-age too low: 0
 tcp.expert: did not receive HSTS header
 tcwebvn.com: could not connect to host
-tdfbfoundation.org: did not receive HSTS header
 tdsb.ga: could not connect to host
 tdsb.gq: could not connect to host
 tdsb.ml: could not connect to host
 tdsbhack.cf: could not connect to host
 tdsbhack.ga: could not connect to host
 tdsbhack.gq: could not connect to host
 tdsbhack.ml: could not connect to host
 teachforcanada.ca: did not receive HSTS header
@@ -10650,26 +10695,27 @@ ticketoplichting.nl: did not receive HST
 tickopa.co.uk: could not connect to host
 tickreport.com: did not receive HSTS header
 ticktock.today: did not receive HSTS header
 tictactux.de: could not connect to host
 tidmore.us: could not connect to host
 tiendschuurstraat.nl: could not connect to host
 tiensnet.com: could not connect to host
 tierrarp.com: could not connect to host
+tiffanytravels.com: did not receive HSTS header
 tightlineproductions.com: did not receive HSTS header
 tikutiku.pl: could not connect to host
 tildebot.com: could not connect to host
 tilient.eu: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 116"  data: no]
 tilikum.io: did not receive HSTS header
 tilkah.com.au: did not receive HSTS header
 tillcraft.com: could not connect to host
 timbeilby.com: could not connect to host
 timbuktutimber.com: did not receive HSTS header
-timcamara.com: could not connect to host
+timcamara.com: did not receive HSTS header
 time-river.xyz: could not connect to host
 timeatlas.com: did not receive HSTS header
 timesavingplugins.com: could not connect to host
 timesavingplugins.net: could not connect to host
 timeserver0.de: could not connect to host
 timeserver1.de: could not connect to host
 timeserver2.de: could not connect to host
 timeserver3.de: could not connect to host
@@ -10703,17 +10749,16 @@ tlcdn.net: could not connect to host
 tlo.hosting: could not connect to host
 tlo.link: could not connect to host
 tlo.network: could not connect to host
 tls.li: could not connect to host
 tlsbv.nl: did not receive HSTS header
 tlshost.net: could not connect to host
 tm-solutions.eu: could not connect to host
 tmaward.net: could not connect to host
-tmconnects.com: did not receive HSTS header
 tmhlive.com: could not connect to host
 tmitchell.io: could not connect to host
 tmprod.com: did not receive HSTS header
 tmtradingmorocco.ma: did not receive HSTS header
 tncnanet.com.br: could not connect to host
 tno.io: could not connect to host
 tnrsca.jp: did not receive HSTS header
 tobaby.com.br: could not connect to host
@@ -10835,17 +10880,16 @@ travelinsurance.co.nz: did not receive H
 trazosdearte.com: did not receive HSTS header
 treatprostatewithhifu.com: could not connect to host
 treeby.net: could not connect to host
 treeremovaljohannesburg.co.za: could not connect to host
 treino.blog.br: could not connect to host
 trell.co.in: did not receive HSTS header
 trendberry.ru: could not connect to host
 trendisland.de: did not receive HSTS header
-trentmaydew.com: did not receive HSTS header
 triadwars.com: did not receive HSTS header
 tridimage.com: did not receive HSTS header
 trileg.net: could not connect to host
 trinity.fr.eu.org: could not connect to host
 trinityaffirmations.com: max-age too low: 0
 trinitycore.org: max-age too low: 2592000
 trinitytechdev.com: did not receive HSTS header
 tripdelta.com: did not receive HSTS header
@@ -10877,16 +10921,17 @@ ttackmedical.com.br: could not connect t
 tts.co.nz: could not connect to host
 tuamoronline.com: could not connect to host
 tubbutec.de: did not receive HSTS header
 tubepro.de: did not receive HSTS header
 tubetoon.com: did not receive HSTS header
 tubetooncartoons.com: did not receive HSTS header
 tubex.ga: could not connect to host
 tucker.wales: could not connect to host
+tuminauskas.lt: did not receive HSTS header
 tunai.id: could not connect to host
 tunca.it: did not receive HSTS header
 tunebitfm.de: could not connect to host
 turkrock.com: did not receive HSTS header
 turnik-67.ru: could not connect to host
 turniker.ru: could not connect to host
 turnsticks.com: could not connect to host
 turtlementors.com: could not connect to host
@@ -11062,16 +11107,17 @@ uscurrency.gov: did not receive HSTS hea
 used-in.jp: could not connect to host
 usedesk.ru: did not receive HSTS header
 useevlo.com.br: did not receive HSTS header
 user-new.com: did not receive HSTS header
 usercare.com: did not receive HSTS header
 userify.com: max-age too low: 0
 uslab.io: could not connect to host
 usr.nz: did not receive HSTS header
+ustr.gov: did not receive HSTS header
 utilitronium-shockwave.com: could not connect to host
 utleieplassen.no: could not connect to host
 utopiagalaxy.space: could not connect to host
 utopian-surgery.com: could not connect to host
 utopianconcept.com: did not receive HSTS header
 utopianhomespa.com: did not receive HSTS header
 utopianrealms.org: did not receive HSTS header
 utopians.dk: did not receive HSTS header
@@ -11250,17 +11296,19 @@ vizeat.com: did not receive HSTS header
 vlora.city: could not connect to host
 vm0.eu: could not connect to host
 vmrdev.com: could not connect to host
 voceinveste.com: did not receive HSTS header
 voicesuk.co.uk: did not receive HSTS header
 voidserv.net: could not connect to host
 volbyzive.cz: did not receive HSTS header
 volcrado.com: did not receive HSTS header
+voliere-info.nl: did not receive HSTS header
 volkden.com: could not connect to host
+volkerwesselswave.nl: did not receive HSTS header
 voltotc.com: did not receive HSTS header
 vonavy-cukor.sk: could not connect to host
 vonavycukor.sk: could not connect to host
 vonedelmann.de: did not receive HSTS header
 vonterra.us: did not receive HSTS header
 vooreenveiligthuis.nl: did not receive HSTS header
 voorjou.com: did not receive HSTS header
 vorangerie.com: could not connect to host
@@ -11323,17 +11371,16 @@ wangqiliang.org: could not connect to ho
 wangqiliang.xn--fiqs8s: could not connect to host
 wangzuan168.cc: did not receive HSTS header
 wapjt.cn: could not connect to host
 wapking.live: did not receive HSTS header
 wapt.fr: did not receive HSTS header
 warandpeace.xyz: could not connect to host
 wardsegers.be: did not receive HSTS header
 warehost.de: did not receive HSTS header
-warekit.io: did not receive HSTS header
 warhistoryonline.com: did not receive HSTS header
 warped.com: did not receive HSTS header
 warrencreative.com: did not receive HSTS header
 warsentech.com: could not connect to host
 warsh.moe: did not receive HSTS header
 warumsuchen.at: did not receive HSTS header
 wasatchcrest.com: did not receive HSTS header
 wasi-net.de: did not receive HSTS header
@@ -11417,17 +11464,16 @@ weltentreff.com: could not connect to ho
 weltmeisterschaft.net: could not connect to host
 weme.eu: could not connect to host
 wendalyncheng.com: did not receive HSTS header
 wenz.io: did not receive HSTS header
 werdeeintimo.de: did not receive HSTS header
 werkenbijkfc.nl: did not receive HSTS header
 werkplaatsoost.nl: did not receive HSTS header
 werkruimtebottendaal.nl: could not connect to host
-wesayyesprogram.com: max-age too low: 0
 wesleyharris.ca: did not receive HSTS header
 westendzone.com: max-age too low: 0
 westerhoud.nl: did not receive HSTS header
 westlinwinds.com: did not receive HSTS header
 westsussexconnecttosupport.org: could not connect to host
 wetoxic.com: did not receive HSTS header
 wettbonus.info: did not receive HSTS header
 wettbuero.de: did not receive HSTS header
@@ -11469,21 +11515,21 @@ wiire.me: could not connect to host
 wikiclash.info: could not connect to host
 wikipeter.nl: did not receive HSTS header
 wikisports.eu: could not connect to host
 wildbee.org: could not connect to host
 wildbirds.dk: did not receive HSTS header
 wilddog.com: did not receive HSTS header
 wilf1rst.com: could not connect to host
 willcipriano.com: could not connect to host
+willeminfo.ch: did not receive HSTS header
 willemsjort.be: did not receive HSTS header
 william.si: did not receive HSTS header
 williamsapiens.com: could not connect to host
 willosagiede.com: did not receive HSTS header
-willstamper.name: did not receive HSTS header
 winaes.com: did not receive HSTS header
 winclient.cn: could not connect to host
 windowsforum.com: max-age too low: 0
 winds.cf: could not connect to host
 winecodeavocado.com: could not connect to host
 winfield.me.uk: did not receive HSTS header
 winged.io: could not connect to host
 wingos.net: could not connect to host
@@ -11581,17 +11627,17 @@ www-1117.com: could not connect to host
 www-39988.com: did not receive HSTS header
 www-507.net: could not connect to host
 www-746.com: could not connect to host
 www-771122.com: did not receive HSTS header
 www-8003.com: did not receive HSTS header
 www-88599.com: did not receive HSTS header
 www-9995.com: did not receive HSTS header
 www-djbet.com: did not receive HSTS header
-www-jinshavip.com: did not receive HSTS header
+www-jinshavip.com: could not connect to host
 www.cueup.com: could not connect to host
 www.cyveillance.com: did not receive HSTS header
 www.developer.mydigipass.com: could not connect to host
 www.elanex.biz: did not receive HSTS header
 www.gamesdepartment.co.uk: could not connect to host
 www.gpo.gov: did not receive HSTS header
 www.greplin.com: could not connect to host
 www.jitsi.org: did not receive HSTS header
@@ -11601,16 +11647,17 @@ www.moneybookers.com: did not receive HS
 www.neonisi.com: could not connect to host
 www.paycheckrecords.com: did not receive HSTS header
 www.rme.li: did not receive HSTS header
 www.sandbox.mydigipass.com: could not connect to host
 www.surfeasy.com: did not receive HSTS header
 www.viasinc.com: did not receive HSTS header
 www.zenpayroll.com: did not receive HSTS header
 www3.info: did not receive HSTS header
+wxrlab.com: did not receive HSTS header
 wxukang.cn: did not receive HSTS header
 wybmabiity.com: could not connect to host
 wygluszanie.eu: did not receive HSTS header
 wyzphoto.nl: did not receive HSTS header
 x-pertservice.com: did not receive HSTS header
 x-power-detox.com: could not connect to host
 x-ripped-hd.com: could not connect to host
 x23.eu: did not receive HSTS header
@@ -11801,16 +11848,18 @@ yunzhan.io: did not receive HSTS header
 yunzhu.org: could not connect to host
 yuriykuzmin.com: did not receive HSTS header
 yutabon.com: could not connect to host
 yuushou.com: could not connect to host
 yux.io: did not receive HSTS header
 ywei.org: could not connect to host
 ywyz.tech: did not receive HSTS header
 yzal.io: could not connect to host
+z33.ch: did not receive HSTS header
+z33.co: did not receive HSTS header
 z3liff.com: could not connect to host
 z3liff.net: could not connect to host
 zadarkside.ro: max-age too low: 0
 zadieheimlich.com: did not receive HSTS header
 zakoncontrol.com: did not receive HSTS header
 zamorano.edu: could not connect to host
 zamos.ru: max-age too low: 0
 zaneweb.org: could not connect to host
--- a/security/manager/ssl/nsSTSPreloadList.inc
+++ b/security/manager/ssl/nsSTSPreloadList.inc
@@ -3,17 +3,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*****************************************************************************/
 /* This is an automatically generated file. If you're not                    */
 /* nsSiteSecurityService.cpp, you shouldn't be #including it.     */
 /*****************************************************************************/
 
 #include <stdint.h>
-const PRTime gPreloadListExpirationTime = INT64_C(1531599935270000);
+const PRTime gPreloadListExpirationTime = INT64_C(1531684123172000);
 %%
 0-1.party, 1
 0.me.uk, 1
 0005pay.com, 1
 00100010.net, 1
 0010100.net, 1
 00120012.net, 1
 00130013.net, 1
@@ -369,17 +369,16 @@ 365skulls.com, 1
 3778vip.com, 1
 379700.com, 1
 3839.ca, 1
 38888msc.com, 1
 388da.com, 1
 38blog.com, 1
 393335.ml, 1
 398.info, 1
-3ags.de, 1
 3bakayottu.com, 1
 3bigking.com, 1
 3c-d.de, 1
 3chat.org, 1
 3circlefunding.ch, 1
 3countiescastlehire.co.uk, 1
 3cs.ch, 1
 3dm.audio, 1
@@ -699,17 +698,16 @@ aaapl.com, 1
 aabanet.com.br, 1
 aacfree.com, 1
 aagetransport.no, 1
 aalalbayt.com, 1
 aalalbayt.net, 1
 aalstmotors-usedcars.be, 1
 aaltocapital.com, 1
 aamwa.com, 1
-aanbieders.ga, 1
 aandeautobody.com, 1
 aandkevents.co.uk, 1
 aanmpc.com, 1
 aaomidi.com, 1
 aapas.org.ar, 1
 aardvarksolutions.co.za, 1
 aariefhaafiz.com, 1
 aarkue.eu, 1
@@ -920,17 +918,16 @@ aclu.org, 0
 acluva.org, 0
 acme.beer, 1
 acmexyz123.info, 1
 acnpacific.com, 1
 aconnor.xyz, 1
 acordes.online, 1
 acorncastles.co.uk, 1
 acorns.com, 1
-acourse.io, 1
 acousti-tech.com, 1
 acoustique-tardy.com, 1
 acperu.ch, 1
 acpinformatique.fr, 1
 acrevalue.com, 1
 acroso.me, 1
 across.ml, 1
 acrossgw.com, 1
@@ -1704,16 +1701,17 @@ alt.org, 1
 altahrim.net, 1
 altaide.com, 1
 altaplana.be, 1
 altbinaries.com, 1
 altedirect.com, 1
 alter-news.fr, 1
 alterbaum.net, 1
 altercpa.ru, 1
+altered.network, 1
 alternador.com.br, 1
 alternative.bike, 1
 alternativebit.fr, 1
 alternativedev.ca, 1
 alternativet.party, 1
 alterspalter.de, 1
 altesses.eu, 1
 altestore.com, 1
@@ -2095,17 +2093,16 @@ annonasoftware.com, 1
 annotate.software, 1
 annoyingasfuk.com, 1
 annrusnak.com, 1
 annuaire-jcb.com, 1
 annuaire-photographe.fr, 0
 anohana.org, 1
 anojan.com, 1
 anon-next.de, 1
-anonboards.com, 1
 anoncom.net, 1
 anoneko.com, 1
 anongoth.pl, 1
 anonrea.ch, 1
 anons.fr, 1
 anonukradio.org, 1
 anonym-surfen.de, 1
 anonyme-spieler.at, 1
@@ -2509,17 +2506,16 @@ arrowgrove.com, 1
 arrowheadaddict.com, 1
 arrowwebprojects.nl, 1
 arschkrebs.org, 1
 arsenal.ru, 1
 arsk1.com, 1
 art-et-culture.ch, 1
 artansoft.com, 1
 artboja.com, 1
-artbytik.ru, 1
 artdeco-photo.com, 1
 artea.ga, 1
 arteaga.co.uk, 1
 arteaga.me, 1
 arteaga.tech, 1
 arteaga.uk, 1
 arteaga.xyz, 1
 artecat.ch, 1
@@ -2558,16 +2554,17 @@ arto.bg, 1
 artofeyes.nl, 1
 artofwhere.com, 1
 artratio.net, 1
 artroot.jp, 1
 artroscopiaperlosport.it, 1
 artschmidtoptical.com, 1
 artspac.es, 1
 artstopinc.com, 1
+arturkohut.com, 1
 arturrossa.de, 1
 arturszalak.com, 1
 artweby.cz, 1
 artworxbathrooms.com.au, 1
 arty.name, 1
 arubasunsetbeach.com, 1
 arveron.ch, 1
 arvid.io, 1
@@ -2981,16 +2978,17 @@ avmemo.com, 1
 avmo.pw, 1
 avmoo.com, 1
 avnet.ws, 1
 avocode.com, 1
 avonlearningcampus.com, 1
 avotoma.com, 1
 avova.de, 1
 avpres.net, 1
+avqueen.cn, 1
 avso.pw, 1
 avsox.com, 1
 avspot.net, 1
 avticket.ru, 0
 avtoforex.ru, 1
 avtogara-isperih.com, 1
 avtovokzaly.ru, 1
 avvcorda.com, 1
@@ -4207,17 +4205,16 @@ birzan.org, 1
 biscoint.io, 1
 biscuits-rec.com, 1
 biscuits-shop.com, 1
 biser-borisov.eu, 1
 bismarck-tb.de, 1
 bison.co, 1
 bissalama.org, 1
 bisschopssteeg.nl, 1
-bistrocean.com, 1
 bistrotdelagare.fr, 1
 biswas.me, 1
 bit-cloud.de, 1
 bit-rapid.com, 1
 bit-sentinel.com, 1
 bit.voyage, 1
 bit8.com, 1
 bitace.com, 1
@@ -6104,17 +6101,16 @@ ceu.edu, 0
 cevo.com.hr, 1
 ceyizlikelisleri.com, 1
 cf-ide.de, 1
 cfa.gov, 1
 cfan.space, 1
 cfh.com, 1
 cfneia.org, 1
 cfno.org, 1
-cfo.gov, 1
 cfpa-formation.fr, 1
 cfsh.tk, 1
 cftcarouge.com, 1
 cfxdesign.com, 1
 cg-systems.hu, 1
 cg.search.yahoo.com, 0
 cgal.org, 1
 cgan.de, 1
@@ -6237,16 +6233,17 @@ chasse-et-plaisir.com, 1
 chat-libera.org, 1
 chat-senza-registrazione.net, 1
 chat.cz, 1
 chat40.net, 1
 chatbelgie.eu, 1
 chatbotclic.com, 1
 chatbotclick.com, 1
 chatbots.email, 1
+chatbots.systems, 1
 chatear.social, 1
 chateau-belvoir.com, 1
 chateau-de-lisle.fr, 1
 chateaudestrainchamps.com, 1
 chateaudevaugrigneuse.com, 1
 chatfacile.org, 1
 chatint.com, 1
 chatitaly.org, 1
@@ -6615,17 +6612,17 @@ circulatedigital.com, 1
 cirfi.com, 1
 ciri.com.co, 1
 cirope.com, 1
 cirrus0.de, 1
 cirugiasplasticas.com.mx, 1
 cirujanooral.com, 1
 cirurgicagervasio.com.br, 1
 cirurgicalucena.com.br, 1
-ciscodude.net, 0
+ciscodude.net, 1
 cisoaid.com, 1
 ciss.ltd, 1
 cisy.me, 1
 citationgurus.com, 1
 citcuit.in, 1
 citimarinestore.com, 1
 citizen-cam.de, 1
 citizensbankal.com, 1
@@ -7321,17 +7318,16 @@ construct-trust.com, 1
 constructionjobs.com, 1
 constructive.men, 1
 consul.io, 1
 consultcelerity.com, 1
 consultingroupitaly.com, 1
 consultpetkov.com, 1
 consumer.gov, 1
 consumeractionlawgroup.com, 1
-consumerfiles.com, 1
 consumersentinel.gov, 1
 consumidor.gov, 1
 consuwijzer.nl, 1
 contactsingapore.sg, 1
 contaquanto.com.br, 1
 content-api-dev.azurewebsites.net, 0
 contentcoms.co.uk, 1
 contentdesign.de, 1
@@ -8409,17 +8405,17 @@ daw.nz, 1
 dawnbringer.eu, 1
 dawnbringer.net, 1
 dawnson.is, 1
 dawnsonb.com, 1
 dawoud.org, 1
 dawson-floridavilla.co.uk, 1
 day-peak.com, 1
 daylightpirates.org, 1
-dayman.net, 1
+dayman.net, 0
 days.one, 1
 daysoftheyear.com, 1
 db-sanity.com, 1
 db-works.nl, 1
 dbapress.org, 1
 dbaron.org, 1
 dbas.cz, 1
 dbcom.ru, 1
@@ -8454,16 +8450,17 @@ dclaisse.fr, 1
 dcmt.co, 1
 dcpower.eu, 1
 dcrdev.com, 1
 dd.art.pl, 1
 ddel.de, 1
 dden.ca, 1
 dden.website, 1
 dden.xyz, 1
+ddepot.us, 0
 ddfreedish.site, 0
 ddhosted.com, 1
 ddmeportal.com, 1
 ddns-anbieter.de, 1
 ddnsweb.com, 1
 ddocu.me, 1
 ddos-mitigation.co.uk, 1
 ddos-mitigation.info, 1
@@ -8876,16 +8873,17 @@ devpsy.info, 1
 devrandom.net, 1
 devstaff.gr, 1
 devtestfan1.gov, 1
 devyn.ca, 1
 devzero.io, 1
 dewaard.de, 1
 dewalch.net, 1
 dewapress.com, 1
+dewebwerf.nl, 1
 dewinter.com, 1
 dexalo.de, 1
 dezeregio.nl, 1
 dezet-ev.de, 1
 dezintranet.com, 1
 dezmembrariromania.ro, 1
 dezshop24.de, 1
 df1paw.de, 1
@@ -9052,17 +9050,16 @@ digitaldeli.tv, 1
 digitaldeli.us, 1
 digitaldeliarchive.com, 1
 digitaldem.it, 1
 digitalehandtekeningen.nl, 1
 digitaleoverheid.nl, 1
 digitalewelten.de, 1
 digitalfishfun.com, 1
 digitalgov.gov, 0
-digitalhurricane.io, 1
 digitalmaniac.co.uk, 1
 digitalmarketingindallas.com, 1
 digitalrights.center, 1
 digitalrights.fund, 1
 digitalrxcloud.com, 1
 digitalsurge.io, 1
 digitaltechnologies.ltd.uk, 1
 digitalunite.de, 1
@@ -9438,17 +9435,17 @@ domynetwork.com, 1
 domypapers.com, 1
 domyresearchpaper.com, 1
 domyreview.net, 1
 domyspeech.com, 1
 domytermpaper.com, 1
 domythesis.net, 1
 domyzitrka.cz, 1
 donabeneko.jp, 1
-donateaday.net, 1
+donateaday.net, 0
 donfelino.tk, 0
 dongkexue.com, 1
 dongxuwang.com, 1
 donhoward.org, 1
 donkeytrekkingkefalonia.com, 1
 donmaldeamores.com, 1
 donnachie.net, 1
 donner-reuschel.de, 1
@@ -9847,17 +9844,16 @@ dusmomente.com, 1
 dusnan.com, 1
 dustplanet.de, 1
 dustri.org, 1
 dustycloth.com, 1
 dustygroove.com, 1
 dustyspokesbnb.ca, 1
 dutch.desi, 1
 dutch1.nl, 1
-dutchessuganda.com, 1
 dutchrank.nl, 1
 dutchwanderers.nl, 1
 dutchweballiance.nl, 1
 dutyfreeonboard.com, 1
 dvbris.co.uk, 1
 dvbris.com, 1
 dvdland.com.au, 1
 dvhosting.be, 1
@@ -9977,17 +9973,16 @@ eaglesecurity.com, 1
 eagletechz.com.br, 1
 eagleyecs.com, 1
 eaimty.com, 1
 ealev.de, 1
 eames-clayton.us, 1
 eapestudioweb.com, 1
 earl.org.uk, 1
 earlyyearshub.com, 1
-earmarks.gov, 1
 earn.com, 1
 earth-people.org, 1
 earthsystemprediction.gov, 1
 earticleblog.com, 1
 earvinkayonga.com, 1
 easelforart.com, 1
 easez.net, 1
 eashwar.com, 1
@@ -11857,17 +11852,16 @@ fence-stlouis.com, 1
 feng-in.com, 1
 feng-in.net, 1
 feng.si, 1
 fengyadi.com, 1
 fengyi.tel, 1
 fenster-bank.at, 1
 fenster-bank.de, 1
 fensterbau-mutscheller.de, 1
-feragon.net, 0
 feras-alhajjaji.com, 1
 ferdies.co.za, 1
 fergusoncastle.com, 1
 ferien-netzwerk.de, 1
 ferienchalet-wallis.ch, 1
 ferienhaeuser-krummin.de, 1
 ferienhaus-polchow-ruegen.de, 0
 ferienwohnungen-lastminute.de, 1
@@ -11983,17 +11977,16 @@ fileio.io, 1
 filesense.com, 1
 filestar.io, 1
 filetransfer.one, 1
 filewall.de, 1
 filhin.es, 1
 filhodohomem.com, 1
 filhomes.ph, 1
 fili.org, 1
-filidorwiese.nl, 1
 filingsmadeeasy.com, 1
 filip-prochazka.com, 1
 filippo.io, 1
 filipsebesta.com, 1
 filleritemsindia.com, 1
 fillitupchallenge.eu, 1
 fillmysuitca.se, 1
 fillo.sk, 1
@@ -13056,17 +13049,16 @@ gameguardian.net, 1
 gameisbest.jp, 1
 gamekeepers.cz, 1
 gamekeysuche.de, 1
 gamenerd.net, 1
 gameofbay.org, 1
 gameofpwnz.com, 1
 gamepad.com.br, 1
 gamercredo.com, 1
-gamercredo.net, 1
 gamerezo.com, 1
 gamerz-stream.com, 1
 gamerzdot.com, 1
 games4theworld.org, 1
 gameserver-sponsor.me, 1
 gameshowchallenge.ie, 1
 gamesplanet.com, 1
 gamesputnik.ru, 1
@@ -13219,16 +13211,17 @@ geekbundle.org, 0
 geekchimp.com, 1
 geekclubbooks.com, 1
 geeklair.net, 1
 geeklan.co.uk, 1
 geekles.net, 1
 geeknik.com, 1
 geekpad.com, 1
 geeks.berlin, 1
+geeks.one, 1
 geekshirts.cz, 1
 geektopia.es, 1
 geekwhack.org, 1
 geekwithabudget.com, 1
 geekwu.org, 1
 geekystudios.us, 1
 geekz.sk, 1
 geekzone.co.nz, 1
@@ -13663,17 +13656,16 @@ gloomyvancouver.com, 1
 glossopnorthendafc.co.uk, 1
 glotech.co.uk, 1
 glueck-im-norden.de, 1
 gluecksgriff-taschen.de, 1
 glueckskindter.de, 1
 glutenfreelife.co.nz, 1
 glyph.ws, 1
 glyxins.com, 1
-gm-assicurazioni.it, 1
 gm.search.yahoo.com, 0
 gmail.com, 0
 gmantra.org, 1
 gmanukyan.com, 1
 gmbh-kiekin.de, 1
 gmc.uy, 1
 gmcd.co, 1
 gmdu.net, 1
@@ -14301,33 +14293,31 @@ habview.net, 1
 haccp.bergamo.it, 1
 haccp.milano.it, 1
 haccp.roma.it, 1
 hacettepeteknokent.com.tr, 1
 hachre.de, 1
 hack.club, 1
 hack.cz, 1
 hackademix.net, 1
-hackanders.com, 1
 hackattack.com, 1
 hackbarth.guru, 1
 hackbeil.name, 1
 hackbubble.me, 1
 hackcraft.net, 1
 hackenkunjeleren.nl, 1
 hackenturet.dk, 1
 hacker.club, 1
 hacker.deals, 1
 hacker.im, 1
 hacker.one, 1
 hacker.parts, 1
 hacker1.com, 1
 hacker101.com, 1
 hackerchai.com, 1
-hackerco.com, 1
 hackergateway.com, 1
 hackerlite.xyz, 1
 hackernet.se, 1
 hackerone-ext-content.com, 1
 hackerone-user-content.com, 1
 hackerone.com, 1
 hackerone.net, 1
 hackerpoints.com, 1
@@ -14623,17 +14613,16 @@ hdc.cz, 1
 hdcenter.cc, 1
 hdeaves.uk, 1
 hdf.world, 1
 hdfgroup.org, 1
 hdguru.com, 1
 hdhoang.space, 1
 hdm.io, 1
 hdnastudio.com, 1
-hdritalyphotos.com, 1
 hdrsource.com, 1
 hdrtranscon.com, 1
 hds-lan.de, 1
 hdwallpapers.net, 1
 hdy.nz, 1
 head.org, 1
 head.ru, 1
 headjapan.com, 1
@@ -14774,17 +14763,16 @@ helpconnect.com.au, 1
 helpdebit.com, 1
 helpekwendenihospital.com, 1
 helpfacile.com, 1
 helpfixe.com, 1
 helpflux.com, 1
 helpfute.com, 1
 helpgerer.com, 1
 helpgoabroad.com, 1
-helpmij.cf, 1
 helppresta.com, 1
 helpstarloja.com.br, 1
 helpverif.com, 1
 helsingfors.guide, 1
 helsinki.dating, 1
 helup.com, 1
 helvella.de, 1
 hematoonkologia.pl, 1
@@ -15421,16 +15409,17 @@ hu.search.yahoo.com, 0
 hua-in.com, 1
 hua-in.net, 1
 hua-li88.com, 1
 hua-li88.net, 1
 huagati.com, 1
 huahinpropertylisting.com, 1
 huang.nu, 1
 huangguancq.com, 1
+huangh.com, 1
 huangjingjing.com, 1
 huangting.me, 1
 huangzenghao.cn, 1
 huangzenghao.com, 1
 huaxueba.com, 1
 hub.org.ua, 1
 hub385.com, 1
 huberulrich.de, 1
@@ -16064,17 +16053,16 @@ incowrimo.org, 1
 incparadise.net, 1
 increasetestosteronelevels.org, 1
 incubos.org, 1
 ind.ie, 1
 indarceky.sk, 0
 indecipherable.info, 1
 independencerecovery.com, 1
 independent-operators.com, 1
-inderagamono.net, 1
 indesit-training.com, 1
 index-games.com, 1
 index-mp3.com, 1
 indiaflowermall.com, 1
 indian-elephant.com, 1
 indianaantlersupply.com, 1
 indianaberry.com, 1
 indianaffairs.gov, 0
@@ -16579,16 +16567,17 @@ iscert.org, 1
 isdn.jp, 1
 isdown.cz, 1
 isecrets.se, 1
 iserv.fr, 1
 iservicio.mx, 1
 isfriday.com, 1
 isgp-studies.com, 1
 ishamf.com, 1
+ishangirdhar.com, 1
 ishiharaken.com, 1
 ishome.org, 1
 isidom.fr, 1
 isil.fi, 1
 isimonbrown.co.uk, 1
 isincheck.com, 1
 isipulsa.web.id, 1
 isisfighters.info, 1
@@ -16697,17 +16686,16 @@ italyinspires.com, 1
 itamservices.nl, 1
 itb-online.co.uk, 1
 itbrief.co.nz, 1
 itbrief.com.au, 1
 itchimes.com, 1
 itchy.nl, 1
 itchybrainscentral.com, 1
 itcko.sk, 1
-itdashboard.gov, 1
 itds-consulting.com, 1
 itds-consulting.cz, 1
 itds-consulting.eu, 1
 itecor.net, 1
 iteecafe.hu, 1
 iteha.de, 1
 iteke.ml, 1
 iteke.tk, 1
@@ -16959,16 +16947,17 @@ janada.cz, 1
 janaundgeorgsagenja.eu, 1
 jandev.de, 1
 janduchene.ch, 1
 janehamelgardendesign.co.uk, 1
 jangocloud.tk, 1
 janheidler.dynv6.net, 1
 janhermann.cz, 1
 jani.media, 1
+janiat.com, 1
 janik.xyz, 0
 janjoris.nl, 1
 jankoepsel.com, 1
 jann.is, 1
 jannisfink.de, 1
 janoberst.com, 1
 janokacer.sk, 1
 janosh.com, 1
@@ -17230,16 +17219,17 @@ jing.su, 1
 jingjo.com.au, 1
 jinja.ai, 1
 jinkuru.net, 1
 jinliming.ml, 1
 jino-jossy.appspot.com, 1
 jinshuju.net, 1
 jintaiyang123.org, 1
 jiogo.com, 1
+jiosongs.com, 1
 jirav.com, 1
 jiripudil.cz, 1
 jiveiaktivno.bg, 1
 jixun.moe, 1
 jiyusu.com, 1
 jiyuu-ni.com, 1
 jiyuu-ni.net, 1
 jjj.blog, 1
@@ -17249,16 +17239,17 @@ jjvanoorschot.nl, 1
 jk-entertainment.biz, 1
 jkchocolate.com, 1
 jkest.cc, 1
 jkinteriorspa.com, 1
 jkirsche.com, 1
 jkng.eu, 1
 jkrippen.com, 1
 jkyuan.tk, 1
+jldp.org, 1
 jlhmedia.com, 1
 jlkhosting.com, 1
 jlot.org, 1
 jlponsetto.com, 1
 jlr-luxembourg.com, 1
 jltctech.com, 1
 jm-bea.net, 1
 jmalarcon.es, 1
@@ -17410,16 +17401,17 @@ jonathancarter.org, 1
 jonathandowning.uk, 1
 jonathandupree.com, 1
 jonathanha.as, 1
 jonathanj.nl, 1
 jonathanmassacand.ch, 1
 jonathansanchez.pro, 1
 jonathanschle.de, 1
 jonathanwisdom.com, 1
+jondarby.com, 1
 jondevin.com, 1
 jondowdle.com, 1
 jonesborostatebank.com, 0
 jonespayne.com, 1
 jonferwerda.net, 1
 jonfor.net, 1
 jongbloed.nl, 1
 jongcs.com, 1
@@ -18605,16 +18597,17 @@ krachtinverbinding.nl, 1
 kradalby.no, 1
 kraft.blog, 1
 kraft.im, 1
 kraftzeiten.de, 1
 krag.be, 1
 kraga.sk, 1
 kraiwan.com, 1
 kraiwon.com, 1
+kraken.io, 1
 kraken.site, 1
 kralik.io, 1
 kralovskapradelna.cz, 1
 kralovstvimap.cz, 1
 kram.nz, 1
 krambeutel.de, 1
 krampus-fischamend.at, 1
 kramsj.uk, 1
@@ -19897,17 +19890,17 @@ locationvoitureislande.com, 1
 locationvoitureitalie.com, 1
 locationvoiturenorvege.com, 1
 locationvoiturepaysbas.com, 1
 locationvoitureportugal.com, 1
 locationvoituresuede.com, 1
 locatorplus.gov, 1
 locauxrama.fr, 1
 locchat.com, 1
-locker.email, 0
+locker.email, 1
 locker3.com, 1
 lockify.com, 1
 lockpick.nl, 1
 lockpicks.se, 1
 lockr.io, 1
 locksport.org.nz, 1
 locomore.com, 1
 locomotive.net.br, 1
@@ -20035,17 +20028,17 @@ lookastic.de, 1
 lookastic.es, 1
 lookastic.fr, 1
 lookastic.mx, 1
 lookastic.ru, 1
 lookbetweenthelines.com, 1
 lookyman.net, 1
 loom.no, 1
 looneymooney.com, 1
-loony.info, 0
+loony.info, 1
 loophost.com.br, 0
 loopower.com, 1
 loopstart.org, 1
 loothole.com, 1
 loovto.net, 1
 loperetti.ch, 1
 loposchokk.com, 1
 loqu8.com, 1
@@ -20194,16 +20187,17 @@ ludwiggrill.de, 1
 ludwigpro.net, 1
 luedeke-bremen.eu, 1
 luehne.de, 1
 luelistan.net, 1
 luenwarneke.com, 1
 luffyhair.com, 1
 luftbild-siegerland.de, 1
 luftreiniger.biz, 1
+lufu.io, 1
 luganskservers.net, 1
 lugbb.org, 1
 luginbuehl.be, 1
 luginbuehl.eu, 1
 lugui.in, 1
 lui.pink, 1
 luiscapelo.info, 1
 luisgf.es, 1
@@ -21006,17 +21000,16 @@ mauricioghiorzi.com.ar, 0
 maury-moteurs.com, 1
 mavenclinic.com, 1
 mavensecurity.com, 1
 maveris.com, 1
 mawidabp.com, 1
 mawidaca.com, 1
 max-moeglich.de, 1
 max-went.pl, 1
-max.gov, 1
 maxbruckner.de, 1
 maxbruckner.org, 1
 maxbytes.nl, 0
 maxchan.info, 1
 maxdev72.freeboxos.fr, 1
 maxfox.me, 1
 maxhamon.ovh, 1
 maxhoechtl.at, 1
@@ -21220,16 +21213,17 @@ medicalcountermeasures.gov, 1
 medicare-providers.net, 1
 medicarecoveragefinder.com, 1
 medicareinfo.org, 1
 medicinesfast.com, 0
 medicinia.com.br, 1
 medicinskavranje.edu.rs, 1
 medicocompetente.it, 1
 medicoresponde.com.br, 1
+medifab.online, 1
 medifi.com, 1
 medigap-quote.net, 1
 medinside.ch, 1
 medinside.li, 1
 medinsider.ch, 1
 medinsider.li, 1
 medireport.fr, 1
 mediter-simplement.com, 1
@@ -22103,19 +22097,17 @@ monitzer.com, 1
 monix.io, 1
 monkeydust.net, 1
 monkeyhill.us, 1
 monkeytek.ca, 1
 monloyer.quebec, 1
 monnyonle.hu, 1
 monobank.no, 1
 monochrometoys.com, 1
-monodukuri.cafe, 1
 monodukuri.com, 1
-monodzukuri.cafe, 1
 monokoo.com, 1
 monolithapps.com, 1
 monolithindustries.com, 1
 monolithinteractive.com, 1
 monoseis-monotica.gr, 1
 monothesis.com, 1
 monotsuku.com, 1
 monozukuri.cafe, 1
@@ -22154,18 +22146,16 @@ moolah.rocks, 1
 moon.fish, 1
 moonagic.com, 1
 moonbot.io, 1
 moondrop.org, 1
 moonkin.eu, 1
 moonmelo.com, 1
 moonraptor.co.uk, 1
 moonraptor.com, 1
-moonrhythm.info, 1
-moonrhythm.io, 1
 moonshyne.org, 1
 moonvpn.org, 1
 moorewelliver.com, 1
 moorfunevents.co.uk, 1
 moorparkelectrical.com, 1
 mooselook.de, 1
 moovablestorage.com, 1
 moparcraft.com, 1
@@ -22297,17 +22287,16 @@ mozzilla.cz, 1
 mp3gratuiti.com, 1
 mpc-hc.org, 1
 mpcompliance.com, 1
 mpe.org, 1
 mpetroff.net, 1
 mpg-universal.com, 1
 mpg.ovh, 1
 mpi-sa.fr, 1
-mpintaamalabanna.it, 1
 mplanetphl.fr, 1
 mplant.io, 1
 mplicka.cz, 1
 mplusm.eu, 1
 mpn.poker, 1
 mpnpokertour.com, 1
 mpodraza.pl, 1
 mpreserver.com, 1
@@ -24354,17 +24343,16 @@ onlinecasino.vlaanderen, 1
 onlinecasinobluebook.com, 1
 onlinecensorship.org, 1
 onlinecollegeessay.com, 1
 onlinefashion.it, 1
 onlinelegalmarketing.com, 1
 onlinelegalmedia.com, 1
 onlinelighting.com.au, 1
 onlinemarketingtraining.co.uk, 1
-onlinepokerspelen.be, 1
 onlinerollout.de, 1
 onlinestoreninjas.com, 1
 onlineth.com, 0
 onlinetravelmoney.co.uk, 1
 onlineweblearning.com, 1
 onlyesb.com, 1
 onlyesb.net, 1
 onlylebanon.net, 1
@@ -24942,16 +24930,17 @@ paratxt.org, 1
 parcelbroker.co.uk, 1
 parchcraftaustralia.com, 1
 parckwart.de, 1
 parcon.it, 1
 pardnoy.com, 1
 parentheseardenne.be, 1
 parentinterview.com, 1
 parentsintouch.co.uk, 1
+parfum-baza.ru, 1
 pariga.co.uk, 1
 paris-store.com, 1
 parisderriere.fr, 1
 parisescortgirls.com, 1
 parisfranceparking.com, 1
 parisfranceparking.de, 1
 parisfranceparking.fr, 1
 parisfranceparking.nl, 1
@@ -25154,17 +25143,16 @@ pay8522.com, 1
 payboy.biz, 1
 payboy.rocks, 1
 paybro.eu, 1
 payfazz.com, 1
 paylike.io, 1
 payloc.io, 1
 payme.uz, 1
 payment-network.com, 1
-paymentaccuracy.gov, 1
 payments.google.com, 1
 paymerang.com, 1
 paymill.com, 1
 paymill.de, 1
 paymon.tj, 1
 payoff.com, 1
 paypal.com, 0
 paypaq.com, 1
@@ -25881,17 +25869,17 @@ plerion.net, 1
 plexhome13.ddns.net, 1
 plexi.dyndns.tv, 1
 plexpy13.ddns.net, 1
 plextv.de, 1
 plexusmd.com, 1
 plinc.co, 1
 pliosoft.com, 1
 plitu.de, 1
-ploader.ru, 1
+ploader.ru, 0
 plochka.bg, 1
 plomberierenga.com, 1
 plongee-phuket.fr, 1
 ploofer.com, 1
 plot.ly, 1
 plotbubble.com, 1
 ploxel.com, 1
 plr4wp.com, 1
@@ -26308,17 +26296,17 @@ premaritalsex.info, 1
 premierbouncycastles.co.uk, 1
 premierevents.ie, 1
 premierheart.com, 1
 premiership-predictors.co.uk, 1
 premioambiente.it, 1
 premiumweb.co.id, 1
 premiumwebdesign.it, 1
 prenatalgeboortekaartjes.nl, 1
-prenger.co, 1
+prenger.co, 0
 prepaid-cards.xyz, 1
 prepaid-voip.nl, 1
 prepaidgirl.com, 1
 prepaidkredietkaart.be, 1
 prepare-job-hunting.com, 1
 preparetheword.com, 0
 preprodfan.gov, 1
 presbee.com, 1
@@ -26587,17 +26575,17 @@ proteogenix-products.com, 1
 proteogenix.science, 1
 proteus-eretes.nl, 1
 proteus-tech.com, 1
 proto-online.ru, 1
 protocol.ai, 1
 protonmail.com, 1
 protonvpn.com, 1
 prototypefund.de, 1
-protoxin.net, 1
+protoxin.net, 0
 proust.ch, 0
 proust.media, 0
 proustmedia.de, 0
 provectus.de, 1
 proveits.me, 0
 provence-appartements.com, 1
 providerlijst.com, 1
 providerlijst.nl, 1
@@ -26682,16 +26670,17 @@ psychicsource.com, 1
 psychintervention.com, 1
 psycho-lobby.com, 1
 psycho.space, 1
 psychoactive.com, 1
 psychoco.net, 1
 psychotherapie-kp.de, 1
 psydix.org, 1
 psyk.yt, 1
+psylab.cc, 1
 psylab.re, 1
 psylab.vip, 1
 psynapse.net.au, 1
 psytrance-pro.com, 1
 pt-server.de, 1
 ptal.eu, 1
 ptbi.org.pl, 1
 ptbx.co, 1
@@ -27603,16 +27592,17 @@ reptrax.com, 1
 republic.gr, 1
 republique.org, 1
 repugnant-conclusion.com, 1
 repugnantconclusion.com, 1
 repustate.com, 1
 reputationweaver.com, 1
 reqognize.com, 1
 reqrut.net, 1
+request-trent.com, 1
 requestr.co.uk, 1
 resama.eu, 1
 resc.la, 1
 rescms-secure.com, 1
 research.facebook.com, 0
 research.md, 1
 researchgate.net, 1
 reseausyndic.ca, 1
@@ -27761,16 +27751,17 @@ richardlugten.nl, 1
 richardrblocker.net, 1
 richardson.engineering, 1
 richardson.pictures, 1
 richardson.software, 1
 richardson.systems, 1
 richardwarrender.com, 1
 richeza.com, 1
 richie.link, 1
+richmtdriver.com, 1
 richonrails.com, 1
 ricketyspace.net, 1
 ricki-z.com, 1
 rickmartensen.nl, 1
 ricknox.com, 1
 rickrongen.nl, 1
 rickscastles.co.uk, 1
 rickvanderzwet.nl, 1
@@ -28331,16 +28322,17 @@ rvsbevestigingen.nl, 1
 rw.search.yahoo.com, 0
 rwky.net, 1
 rws-vertriebsportal.de, 1
 rwx.ovh, 1
 rx-contact.com, 0
 rxbn.de, 1
 rxbusiness.com, 1
 rxcheck.com, 1
+rxgroup.io, 1
 ryan-goldstein.com, 1
 ryanbritton.com, 1
 ryancarter.co.uk, 1
 ryanhowell.io, 0
 ryankearney.com, 0
 ryanmcdonough.co.uk, 1
 ryansmithphotography.com, 1
 ryazan-region.ru, 1
@@ -28538,16 +28530,17 @@ samifar.in, 1
 samizdat.cz, 1
 samkelleher.com, 1
 saml-gateway.org, 1
 samm.com.au, 0
 sammyjohnson.com, 0
 sammyservers.com, 1
 samp.im, 1
 samsonova.de, 1
+samsungmobile.it, 1
 samsungphonegenerator.xyz, 1
 samsungxoa.com, 1
 samuelkeeley.com, 1
 samuellaulhau.fr, 1
 samui-samui.de, 0
 samuirehabcenter.com, 1
 samvanderkris.com, 1
 samwilberforce.com, 1
@@ -28740,16 +28733,17 @@ sbsnursery.co.uk, 1
 sbssoft.ru, 1
 sbytes.info, 1
 sc5.jp, 1
 scalaire.com, 1
 scalaire.fr, 1
 scalesbiolab.com, 1
 scaling.solutions, 1
 scallywagsbouncycastles.co.uk, 1
+scallywagskids.co.uk, 1
 scamblockplus.org, 1
 scandicom.fi, 1
 scandinavia.dating, 1
 scangeo.net, 1
 scanleasing.net, 1
 scanpay.dk, 1
 scarafaggio.it, 1
 scatsbouncingcastles.ie, 1
@@ -29448,16 +29442,17 @@ shadowrocket.net, 1
 shadowsing.com, 1
 shadowsocks.com, 1
 shadowsocks.com.au, 1
 shadowsocks.com.hk, 1
 shadowsocks.fr, 1
 shadowsocks.la, 1
 shadowsocks.software, 1
 shadowsocks.to, 1
+shadowsocks.wiki, 1
 shadowsworldonline.co.uk, 1
 shadwe.com, 1
 shafou.com, 1
 shag-shag.ru, 1
 shaharyaranjum.com, 1
 shaicoleman.com, 1
 shaitan.eu, 1
 shakan.ch, 1
@@ -29510,16 +29505,17 @@ sharu.me, 1
 sharvey.ca, 1
 shasso.com, 1
 shaun.net, 1
 shaunandamyswedding.com, 1
 shaunc.com, 1
 shaundanielz.com, 1
 shaunharker.com, 1
 shav.it, 1
+shavegazette.com, 1
 shavingks.com, 1
 shawcentral.ca, 0
 shawnhogan.com, 1
 shawnstarrcustomhomes.com, 1
 shawnwilkerson.com, 1
 shawnwilson.info, 1
 shazbots.org, 1
 shazzlemd.com, 1
@@ -29748,17 +29744,17 @@ siku.pro, 1
 silashes.com, 1
 silashes.ru, 1
 silaslova-ekb.ru, 1
 silentexplosion.de, 1
 silentkernel.fr, 0
 silentmode.com, 1
 silentundo.org, 1
 silerfamily.net, 1
-siliconchip.me, 1
+siliconchip.me, 0
 silkebaekken.no, 1
 sillisalaatti.fi, 1
 sillysnapz.co.uk, 1
 siloportem.net, 1
 silqueskineyeserum.com, 1
 silsha.me, 1
 silv.me, 1
 silver-heart.co.uk, 1
@@ -31011,17 +31007,16 @@ starttraffic.com, 1
 starttraffic.uk, 1
 startup.melbourne, 1
 startupgenius.org, 1
 startuplevel.com, 1
 startuppeople.co.uk, 1
 startupum.ru, 1
 starwatches.eu, 1
 starwins.co.uk, 1
-stassi.ch, 1
 stastka.ch, 1
 stat.ink, 1
 state-of-body-and-mind.com, 1
 statecollegemortgages.com, 1
 statgram.me, 1
 static-692b8c32.de, 1
 static-assets.io, 1
 static-myfxee-808795.c.cdn77.org, 1
@@ -31074,16 +31069,17 @@ steemit.com, 1
 steenackers.be, 1
 stefan-bayer.eu, 1
 stefan-schlueter.de, 1
 stefanbayer.de, 1
 stefanovski.io, 0
 stefanvanburen.xyz, 1
 stefany.eu, 1
 steffi-in-australien.com, 1
+steidlewirt.de, 1
 steigerplank.com, 0
 steinbergmedia.de, 1
 steinibox.de, 1
 steklein.de, 1
 stella-artis-ensemble.at, 1
 stellanova-planeten.de, 0
 stellarium-gornergrat.ch, 1
 stellarvale.net, 1
@@ -31230,17 +31226,16 @@ stonedworms.de, 1
 stonefusion.org.uk, 1
 stonehammerhead.org, 1
 stonemain.eu, 1
 stonemanbrasil.com.br, 1
 stonewuu.com, 1
 stony.com, 1
 stonystratford.org, 1
 stopakwardhandshakes.org, 1
-stopbreakupnow.org, 1
 stopbullying.gov, 1
 stopfraud.gov, 1
 stopthethyroidmadness.com, 1
 stordbatlag.no, 1
 store10.de, 0
 storedsafe.com, 1
 storgom.ua, 0
 storillo.com, 1
@@ -31473,17 +31468,16 @@ sun-leo.co.jp, 1
 sunboxstore.jp, 1
 sunbritetv.com, 1
 sunchasercats.com, 1
 sundanceusa.com, 1
 sundayfundayjapan.com, 1
 suneilpatel.com, 1
 sunfeathers.net, 1
 sunfireshop.com.br, 1
-sunflyer.cn, 0
 sunfox.cz, 1
 sunfulong.blog, 1
 sunfulong.me, 1
 sunjaydhama.com, 1
 sunn.ie, 1
 sunriseafricarelief.com, 1
 sunsetwx.com, 1
 sunshinesf.org, 1
@@ -31874,16 +31868,17 @@ takkaaaaa.com, 1
 takusan.ru, 1
 takuto.de, 1
 takuyaphotos.com, 1
 talado.gr, 0
 talentcast.nl, 0
 talenthero.io, 1
 talenthub.co.nz, 1
 talentos.pt, 1
+talentuar.com, 1
 taler.net, 1
 talideon.com, 0
 talk.google.com, 1
 talk.xyz, 1
 talkgadget.google.com, 1
 talkingmoose.net, 1
 talkreal.net, 1
 talktech.com, 1
@@ -31965,17 +31960,16 @@ tateesq.com, 1
 tatiloley.com, 1
 tatort-fanpage.de, 1
 tatsidou.gr, 1
 tattoo.dating, 1
 taunhanh.us, 1
 tavolaquadrada.com.br, 1
 tavsys.net, 1
 taxaroo.com, 1
-taxi-24std.de, 1
 taxi-chamonix.fr, 1
 taxi-collectif.ch, 1
 taxi-puck.pl, 1
 taxicollectif.ch, 1
 taxiindenbosch.nl, 1
 taxis-collectifs.ch, 1
 taxisafmatosinhos.pt, 1
 taxiscollectifs.ch, 1
@@ -32011,16 +32005,17 @@ tchebb.me, 1
 tchnics.de, 1
 tchoukball.ch, 1
 tcnapplications.com, 1
 tcptun.com, 1
 tcpweb.net, 1
 tdchrom.com, 1
 tdelmas.eu, 1
 tdelmas.ovh, 1
+tdfbfoundation.org, 1
 tdrcartuchos.com.br, 1
 tdrs.info, 1
 tdsb.cf, 1
 tdsbhack.tk, 1
 tdsinflatables.co.uk, 1
 tdude.co, 1
 teabagdesign.co.uk, 1
 teachercreatedmaterials.com, 1
@@ -32857,17 +32852,16 @@ tiendavertigo.com, 1
 tiens-ib.cz, 1
 tier-1-entrepreneur.com, 1
 tierarztpraxis-bogenhausen.de, 1
 tierarztpraxis-weinert.de, 1
 tiernanx.com, 1
 ties.com, 1
 tiew.pl, 1
 tifan.net, 1
-tiffanytravels.com, 1
 tiffnix.com, 1
 tigerchef.com, 1
 tigerdile.com, 1
 tiggeriffic.com, 1
 tigit.co.nz, 1
 tiglitub.com, 1
 tiihosen.fi, 1
 tijden.nu, 1
@@ -33023,16 +33017,17 @@ tlumaczenie.com, 1
 tlys.de, 1
 tm.id.au, 1
 tmberg.cf, 1
 tmberg.ga, 1
 tmberg.gq, 1
 tmberg.ml, 1
 tmberg.tk, 1
 tmc.com.mt, 1
+tmconnects.com, 1
 tmcpromotions.co.uk, 1
 tmcreationweb.com, 1
 tmdb.biz, 1
 tmf.ru, 1
 tmhr.moe, 1
 tmi-products.eu, 1
 tmi-produkter.se, 1
 tmi.news, 1
@@ -33575,16 +33570,17 @@ trekfriend.com, 1
 tremlor.com, 1
 tremolosoftware.com, 1
 tremoureux.fr, 1
 trendingpulse.com, 1
 trendkraft.de, 1
 trendydips.com, 1
 trendykids.cz, 1
 trenta.io, 1
+trentmaydew.com, 1
 tresorit.com, 1
 tresorsecurity.com, 1
 tretail.net, 1
 tretkowski.de, 1
 trewe.eu, 1
 trezy.me, 1
 trezy.net, 1
 trhastane.com, 1
@@ -33769,17 +33765,16 @@ tuincentersnaet.be, 1
 tuingereedschappen.net, 0
 tuitle.com, 1
 tuja.hu, 1
 tulsameetingroom.com, 1
 tumagiri.net, 1
 tumblenfun.com, 1
 tumedico.es, 1
 tumelum.de, 1
-tuminauskas.lt, 0
 tumutanzi.com, 1
 tune-web.de, 1
 tunefish-entertainment.de, 1
 tuner.cloud, 1
 tuning-werkstatt-nuernberg.de, 1
 tuningblog.eu, 0
 tunnelblick.net, 1
 tunnelwatch.com, 1
@@ -34324,17 +34319,16 @@ usitcolours.bg, 1
 usleep.net, 1
 usmint.gov, 1
 usparklodging.com, 1
 usportsgo.com, 1
 uspsoig.gov, 1
 ussm.gov, 1
 ussuka.com, 1
 ust.space, 1
-ustr.gov, 0
 usualbeings.com, 1
 uswitch.com, 1
 ut-addicted.com, 1
 utahfireinfo.gov, 1
 utahlocal.net, 1
 utcast-mate.com, 1
 utdscanner.com, 1
 utdsgda.com, 1
@@ -34991,21 +34985,19 @@ voidshift.com, 1
 voipkb.com, 1
 voipsun.com, 1
 vokativy.cz, 0
 vokeapp.com, 1
 volcain.io, 1
 volcanconcretos.com, 1
 volga.us, 1
 volgavibes.ru, 0
-voliere-info.nl, 0
 volker-gropp.de, 1
 volkergropp.de, 1
 volkerwesselstransfer.nl, 1
-volkerwesselswave.nl, 1
 volkswurst.de, 1
 vollans.id.au, 1
 voloevents.com, 1
 volta.io, 1
 voltimax.com, 1
 volto.io, 1
 volunteeringmatters.org.uk, 1
 vomitb.in, 1
@@ -35023,17 +35015,17 @@ vorlage-mustervertrag.de, 1
 vorlagen-geburtstagsgruesse.de, 1
 vorlicek.de, 1
 vorlif.org, 1
 vorm2.com, 1
 vorodevops.com, 1
 vos-fleurs.ch, 1
 vos-fleurs.com, 1
 vosgym.jp, 1
-voshod.org, 1
+voshod.org, 0
 vosjesweb.nl, 1
 vosky.fr, 1
 vosn.de, 1
 vosser.de, 1
 vostronet.com, 1
 voter-info.uk, 1
 votercircle.com, 1
 voterstartingpoint.uk, 1
@@ -35227,16 +35219,17 @@ wangqr.tk, 1
 wangyue.blog, 1
 wannaridecostarica.com, 1
 wantshow.com.br, 1
 wanybug.cn, 1
 waonui.io, 1
 warcraftjournal.org, 1
 wardow.com, 1
 warebouncycastles.co.uk, 1
+warekit.io, 1
 warekon.com, 1
 warekon.dk, 1
 warenits.at, 1
 warezaddict.com, 1
 wargameexclusive.com, 1
 warhaggis.com, 1
 warlions.info, 0
 warmestwishes.ca, 1
@@ -35616,16 +35609,17 @@ werkstattkinder.de, 1
 werktor.com, 1
 werktor.net, 1
 werner-ema.de, 1
 werner-schaeffer.de, 1
 wernerschaeffer.de, 1
 werpo.com.ar, 1
 wertheimer-burgrock.de, 1
 werwolf-live.de, 1
+wesayyesprogram.com, 1
 wesecom.com, 1
 wesell.asia, 1
 weserv.nl, 1
 wesleycabus.be, 1
 wespeakgeek.co.za, 1
 wesreportportal.com, 1
 wessner.co, 1
 wessner.org, 1
@@ -35845,33 +35839,33 @@ wildtrip.blog, 1
 wildwildtravel.com, 1
 wilfrid-calixte.fr, 1
 wilhelm-nathan.de, 1
 wili.li, 1
 wiliquet.net, 1
 willbarnesphotography.co.uk, 1
 willberg.bayern, 1
 willekeinden.nl, 1
-willeminfo.ch, 1
 willems-kristiansen.dk, 1
 willfarrell.ca, 1
 willi-graf-gymnasium.de, 1
 willi-graf-os.de, 1
 william.gg, 1
 williamboundsltd.com, 1
 williamfeely.info, 1
 williamjohngauthier.net, 1
 williamsonshore.com, 1
 williamsportmortgages.com, 1
 willkommen-fuerstenberg.de, 1
 willnorris.com, 1
 willow.technology, 1
 willowdalechurch.ca, 1
 willowtree.school, 1
 wills.co.tt, 1
+willstamper.name, 1
 willywangstory.com, 1
 willywangstory.com.tw, 1
 willywangstory.org, 1
 wiloca.it, 1
 wilseyrealty.com, 1
 wilsonovi.com, 1
 wimachtendienk.com, 1
 wimbo.nl, 1
@@ -36345,17 +36339,16 @@ www.twitter.com, 0
 www.united.com, 1
 www.usaa.com, 0
 www.vino75.com, 0
 www.wepay.com, 0
 www.wordpress.com, 0
 www68277.com, 1
 wxcafe.net, 1
 wxh.jp, 1
-wxrlab.com, 1
 wxster.com, 1
 wy6.org, 1
 wyam.io, 1
 wybar.uk, 1
 wyday.com, 1
 wyeworks.com, 1
 wygibanki.pl, 1
 wygodnie.pl, 1
@@ -36837,17 +36830,17 @@ yetishirt.com, 1
 yetzt.me, 0
 yeu.io, 1
 yfengs.moe, 1
 yggdar.ga, 1
 yhaupenthal.org, 1
 yhb.io, 1
 yhong.me, 1
 yhori.xyz, 1
-yhwj.top, 1
+yhwj.top, 0
 yibaoweilong.top, 1
 yibin0831.com, 1
 yicknam.my, 1
 yii2.cc, 1
 yikeyong.com, 1
 yimgo.fr, 1
 yin8888.tv, 1
 yinfor.com, 1
@@ -37095,18 +37088,16 @@ yzcloud.me, 1
 yzimroni.net, 1
 z-coder.com, 1
 z-konzept-nutrition.ru, 1
 z-latko.info, 1
 z-vector.com, 1
 z.ai, 1
 z0rro.net, 1
 z1h.de, 1
-z33.ch, 0
-z33.co, 0
 z4k.de, 1
 z99944x.xyz, 1
 za.search.yahoo.com, 0
 zaalleatherwear.nl, 0
 zabszk.net, 1
 zabukovnik.net, 1
 zacarias.com.ar, 1
 zacavi.com.br, 1
--- a/toolkit/content/widgets/notification.xml
+++ b/toolkit/content/widgets/notification.xml
@@ -507,21 +507,22 @@
                    xbl:inherits="popupid,src=icon,class=iconclass"/>
         <xul:vbox flex="1" pack="start"
                   class="popup-notification-body" xbl:inherits="popupid">
           <xul:hbox align="start">
             <xul:vbox flex="1">
               <xul:label class="popup-notification-origin header"
                          xbl:inherits="value=origin,tooltiptext=origin"
                          crop="center"/>
-              <xul:description class="popup-notification-description"
-                               xbl:inherits="popupid">
-                <!-- These need to be on the same line to avoid creating whitespace between them (whitespace is added in the localization file, if necessary). -->
-                <html:span xbl:inherits="xbl:text=label,popupid"/><html:b xbl:inherits="xbl:text=name,popupid"/><html:span xbl:inherits="xbl:text=endlabel,popupid"/>
-              </xul:description>
+              <!-- These need to be on the same line to avoid creating
+                   whitespace between them (whitespace is added in the
+                   localization file, if necessary). -->
+              <xul:description class="popup-notification-description" xbl:inherits="popupid"><html:span
+                xbl:inherits="xbl:text=label,popupid"/><html:b xbl:inherits="xbl:text=name,popupid"/><html:span
+              xbl:inherits="xbl:text=endlabel,popupid"/></xul:description>
             </xul:vbox>
             <xul:toolbarbutton anonid="closebutton"
                                class="messageCloseButton close-icon popup-notification-closebutton tabbable"
                                xbl:inherits="oncommand=closebuttoncommand,hidden=closebuttonhidden"
                                tooltiptext="&closeNotification.tooltip;"/>
           </xul:hbox>
           <children includes="popupnotificationcontent"/>
           <xul:label class="text-link popup-notification-learnmore-link"