Merge mozilla-central to autoland

accessible/ipc/DocAccessibleParent.h

@@ -76,12 +76,11 @@ public:
 
   void Unbind()
   {
-    mParent = nullptr;
     if (DocAccessibleParent* parent = ParentDoc()) {
-      parent->mChildDocs.RemoveElement(this);
+      parent->RemoveChildDoc(this);
     }
 
-    mParentDoc = nullptr;
+    mParent = nullptr;
   }
 
   virtual mozilla::ipc::IPCResult RecvShutdown() override;

browser/base/content/browser.xul

@@ -178,7 +178,7 @@
       <menupopup rolluponmousewheel="true"
                  activateontab="true" position="after_start"
 #ifdef XP_WIN
-                 consumeoutsideclicks="false" ignorekeys="handled"
+                 consumeoutsideclicks="false" ignorekeys="shortcuts"
 #endif
         />
     </menulist>

browser/base/content/test/general/browser_selectpopup.js

@@ -164,6 +164,14 @@ function* doSelectTests(contentType, dtd)
       "Select all while popup is open");
   });
 
+  // Backspace should not go back
+  let handleKeyPress = function(event) {
+    ok(false, "Should not get keypress event");
+  }
+  window.addEventListener("keypress", handleKeyPress);
+  EventUtils.synthesizeKey("VK_BACK_SPACE", { });
+  window.removeEventListener("keypress", handleKeyPress);
+
   yield hideSelectPopup(selectPopup);
 
   is(menulist.selectedIndex, 3, "Item 3 still selected");

devtools/client/animationinspector/test/browser_animation_animated_properties_displayed.js

@@ -82,7 +82,7 @@ function hasExpectedWarnings(containerEl) {
   let warnings = [...containerEl.querySelectorAll(".warning")];
   for (let warning of warnings) {
     let warningID =
-      "CompositorAnimationWarningTransformWithGeometricProperties";
+      "CompositorAnimationWarningTransformWithSyncGeometricAnimations";
     if (warning.getAttribute("title") == LAYOUT_ERRORS_L10N.getStr(warningID)) {
       return true;
     }

devtools/client/animationinspector/test/browser_animation_running_on_compositor.js

@@ -15,7 +15,7 @@ add_task(function* () {
   let timeline = panel.animationsTimelineComponent;
 
   info("Select a test node we know has an animation running on the compositor");
-  yield selectNodeAndWaitForAnimations(".animated", inspector);
+  yield selectNodeAndWaitForAnimations(".compositor-all", inspector);
 
   let animationEl = timeline.animationsEl.querySelector(".animation");
   ok(animationEl.classList.contains("fast-track"),

devtools/client/animationinspector/test/doc_simple_animation.html

@@ -82,6 +82,10 @@
       animation: no-compositor 10s cubic-bezier(.57,-0.02,1,.31) forwards;
     }
 
+    .compositor-all {
+      animation: compositor-all 2s infinite;
+    }
+
     .compositor-notall {
       animation: compositor-notall 2s infinite;
     }
@@ -104,6 +108,10 @@
       }
     }
 
+    @keyframes compositor-all {
+      to { opacity: 0.5 }
+    }
+
     @keyframes compositor-notall {
       from {
         opacity: 0;
@@ -130,6 +138,7 @@
   <div class="ball negative-delay"></div>
   <div class="ball no-compositor"></div>
   <div class="ball" id="endDelayed"></div>
+  <div class="ball compositor-all"></div>
   <div class="ball compositor-notall"></div>
   <script>
     /* globals KeyframeEffect, Animation */

devtools/client/jsonview/converter-child.js

@@ -6,7 +6,7 @@
 
 "use strict";
 
-const {Cu, Cc, Ci, components} = require("chrome");
+const {Cc, Ci, components} = require("chrome");
 const Services = require("Services");
 const {Class} = require("sdk/core/heritage");
 const {Unknown} = require("sdk/platform/xpcom");
@@ -140,9 +140,8 @@ let Converter = Class({
     JsonViewUtils.exportIntoContentScope(win, Locale, "Locale");
 
     Events.once(win, "DOMContentLoaded", event => {
-      Cu.exportFunction(this.postChromeMessage.bind(this), win, {
-        defineAs: "postChromeMessage"
-      });
+      win.addEventListener("contentMessage",
+        this.onContentMessage.bind(this), false, true);
     });
 
     // The request doesn't have to be always nsIHttpChannel
@@ -263,10 +262,15 @@ let Converter = Class({
 
   // Chrome <-> Content communication
 
-  postChromeMessage: function (type, args, objects) {
-    let value = args;
+  onContentMessage: function (e) {
+    // Do not handle events from different documents.
+    let win = NetworkHelper.getWindowForRequest(this.channel);
+    if (win != e.target) {
+      return;
+    }
 
-    switch (type) {
+    let value = e.detail.value;
+    switch (e.detail.type) {
       case "copy":
         Clipboard.set(value, "text");
         break;

devtools/client/jsonview/json-viewer.js

@@ -3,7 +3,6 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* global postChromeMessage */
 
 "use strict";
 
@@ -42,17 +41,15 @@ define(function (require, exports, module) {
    */
   input.actions = {
     onCopyJson: function () {
-      let value = input.prettified ? input.jsonPretty : input.jsonText;
-      postChromeMessage("copy", value);
+      dispatchEvent("copy", input.prettified ? input.jsonPretty : input.jsonText);
     },
 
     onSaveJson: function () {
-      let value = input.prettified ? input.jsonPretty : input.jsonText;
-      postChromeMessage("save", value);
+      dispatchEvent("save", input.prettified ? input.jsonPretty : input.jsonText);
     },
 
     onCopyHeaders: function () {
-      postChromeMessage("copy-headers", input.headers);
+      dispatchEvent("copy-headers", input.headers);
     },
 
     onSearch: function (value) {
@@ -73,6 +70,24 @@ define(function (require, exports, module) {
     },
   };
 
+  /**
+   * Helper for dispatching an event. It's handled in chrome scope.
+   *
+   * @param {String} type Event detail type
+   * @param {Object} value Event detail value
+   */
+  function dispatchEvent(type, value) {
+    let data = {
+      detail: {
+        type,
+        value,
+      }
+    };
+
+    let contentMessageEvent = new CustomEvent("contentMessage", data);
+    window.dispatchEvent(contentMessageEvent);
+  }
+
   /**
    * Render the main application component. It's the main tab bar displayed
    * at the top of the window. This component also represents ReacJS root.

docshell/base/nsDocShell.cpp

@@ -12443,7 +12443,7 @@ nsDocShell::LoadHistoryEntry(nsISHEntry* aEntry, uint32_t aLoadType)
     // Don't cache the presentation if we're going to just reload the
     // current entry. Caching would lead to trying to save the different
     // content viewers in the same nsISHEntry object.
-    rv = CreateAboutBlankContentViewer(triggeringPrincipal, nullptr,
+    rv = CreateAboutBlankContentViewer(principalToInherit, nullptr,
                                        aEntry != mOSHE);
 
     if (NS_FAILED(rv)) {

dom/animation/Animation.cpp

@@ -726,7 +726,6 @@ Animation::ElapsedTimeToTimeStamp(
                                   mEffect->SpecifiedTiming().mDelay);
 }
 
-
 // https://w3c.github.io/web-animations/#silently-set-the-current-time
 void
 Animation::SilentlySetCurrentTime(const TimeDuration& aSeekTime)
@@ -781,6 +780,44 @@ Animation::CancelNoUpdate()
   }
 }
 
+bool
+Animation::ShouldBeSynchronizedWithMainThread(
+  nsCSSPropertyID aProperty,
+  const nsIFrame* aFrame,
+  AnimationPerformanceWarning::Type& aPerformanceWarning) const
+{
+  // Only synchronize playing animations
+  if (!IsPlaying()) {
+    return false;
+  }
+
+  // Currently only transform animations need to be synchronized
+  if (aProperty != eCSSProperty_transform) {
+    return false;
+  }
+
+  KeyframeEffectReadOnly* keyframeEffect = mEffect
+                                           ? mEffect->AsKeyframeEffect()
+                                           : nullptr;
+  if (!keyframeEffect) {
+    return false;
+  }
+
+  // Are we starting at the same time as other geometric animations?
+  // We check this before calling ShouldBlockAsyncTransformAnimations, partly
+  // because it's cheaper, but also because it's often the most useful thing
+  // to know when you're debugging performance.
+  if (mSyncWithGeometricAnimations &&
+      keyframeEffect->HasAnimationOfProperty(eCSSProperty_transform)) {
+    aPerformanceWarning = AnimationPerformanceWarning::Type::
+                          TransformWithSyncGeometricAnimations;
+    return true;
+  }
+
+  return keyframeEffect->
+           ShouldBlockAsyncTransformAnimations(aFrame, aPerformanceWarning);
+}
+
 void
 Animation::UpdateRelevance()
 {
@@ -939,6 +976,16 @@ Animation::NotifyEffectTimingUpdated()
                Animation::SyncNotifyFlag::Async);
 }
 
+void
+Animation::NotifyGeometricAnimationsStartingThisFrame()
+{
+  if (!IsNewlyStarted() || !mEffect) {
+    return;
+  }
+
+  mSyncWithGeometricAnimations = true;
+}
+
 // https://w3c.github.io/web-animations/#play-an-animation
 void
 Animation::PlayNoUpdate(ErrorResult& aRv, LimitBehavior aLimitBehavior)
@@ -1004,6 +1051,11 @@ Animation::PlayNoUpdate(ErrorResult& aRv, LimitBehavior aLimitBehavior)
 
   mPendingState = PendingState::PlayPending;
 
+  // Clear flag that causes us to sync transform animations with the main
+  // thread for now. We'll set this when we go to set up compositor
+  // animations if it applies.
+  mSyncWithGeometricAnimations = false;
+
   nsIDocument* doc = GetRenderedDocument();
   if (doc) {
     PendingAnimationTracker* tracker =

dom/animation/Animation.h

@@ -9,6 +9,7 @@
 
 #include "nsWrapperCache.h"
 #include "nsCycleCollectionParticipant.h"
+#include "mozilla/AnimationPerformanceWarning.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/DOMEventTargetHelper.h"
 #include "mozilla/EffectCompositor.h" // For EffectCompositor::CascadeLevel
@@ -35,7 +36,7 @@
 struct JSContext;
 class nsCSSPropertyIDSet;
 class nsIDocument;
-class nsPresContext;
+class nsIFrame;
 
 namespace mozilla {
 
@@ -62,6 +63,7 @@ public:
     , mFinishedAtLastComposeStyle(false)
     , mIsRelevant(false)
     , mFinishedIsResolved(false)
+    , mSyncWithGeometricAnimations(false)
   {
   }
 
@@ -281,6 +283,11 @@ public:
             mPendingState == PendingState::PlayPending);
   }
 
+  bool ShouldBeSynchronizedWithMainThread(
+    nsCSSPropertyID aProperty,
+    const nsIFrame* aFrame,
+    AnimationPerformanceWarning::Type& aPerformanceWarning) const;
+
   bool IsRelevant() const { return mIsRelevant; }
   void UpdateRelevance();
 
@@ -314,6 +321,7 @@ public:
                     const nsCSSPropertyIDSet& aPropertiesToSkip);
 
   void NotifyEffectTimingUpdated();
+  void NotifyGeometricAnimationsStartingThisFrame();
 
 protected:
   void SilentlySetCurrentTime(const TimeDuration& aNewCurrentTime);
@@ -374,6 +382,18 @@ protected:
    */
   void ResetPendingTasks();
 
+  /**
+   * Returns true if this animation is not only play-pending, but has
+   * yet to be given a pending ready time. This roughly corresponds to
+   * animations that are waiting to be painted (since we set the pending
+   * ready time at the end of painting). Identifying such animations is
+   * useful because in some cases animations that are painted together
+   * may need to be synchronized.
+   */
+  bool IsNewlyStarted() const {
+    return mPendingState == PendingState::PlayPending &&
+           mPendingReadyTime.IsNull();
+  }
   bool IsPossiblyOrphanedPendingAnimation() const;
   StickyTimeDuration EffectEnd() const;
 
@@ -433,6 +453,11 @@ protected:
   // finished promise.
   bool mFinishedIsResolved;
 
+  // True if this animation was triggered at the same time as one or more
+  // geometric animations and hence we should run any transform animations on
+  // the main thread.
+  bool mSyncWithGeometricAnimations;
+
   nsString mId;
 };
 

dom/animation/AnimationEffectReadOnly.h

@@ -85,6 +85,14 @@ public:
   virtual void SetAnimation(Animation* aAnimation) = 0;
   Animation* GetAnimation() const { return mAnimation; };
 
+  /**
+   * Returns true if this effect animates one of the properties we consider
+   * geometric properties, e.g. properties such as 'width' or 'margin-left'
+   * that we try to synchronize with transform animations, on a valid target
+   * element.
+   */
+  virtual bool AffectsGeometry() const = 0;
+
 protected:
   virtual ~AnimationEffectReadOnly();
 

dom/animation/AnimationPerformanceWarning.cpp

@@ -59,6 +59,9 @@ AnimationPerformanceWarning::ToLocalizedString(
     case Type::TransformWithGeometricProperties:
       key = "CompositorAnimationWarningTransformWithGeometricProperties";
       break;
+    case Type::TransformWithSyncGeometricAnimations:
+      key = "CompositorAnimationWarningTransformWithSyncGeometricAnimations";
+      break;
     case Type::TransformFrameInactive:
       key = "CompositorAnimationWarningTransformFrameInactive";
       break;

dom/animation/AnimationPerformanceWarning.h

@@ -9,6 +9,9 @@
 
 #include <initializer_list>
 
+#include "mozilla/Maybe.h"
+#include "nsTArray.h"
+
 class nsXPIDLString;
 
 namespace mozilla {
@@ -23,6 +26,7 @@ struct AnimationPerformanceWarning
     TransformPreserve3D,
     TransformSVG,
     TransformWithGeometricProperties,
+    TransformWithSyncGeometricAnimations,
     TransformFrameInactive,
     OpacityFrameInactive,
     HasRenderingObserver,

dom/animation/EffectCompositor.cpp

@@ -85,19 +85,15 @@ IsMatchForCompositor(const KeyframeEffectReadOnly& aEffect,
     return MatchForCompositor::No;
   }
 
-  bool isPlaying = animation->IsPlaying();
-
-  // If we are finding animations for transform, check if there are other
-  // animations that should block the transform animation. e.g. geometric
-  // properties' animation. This check should be done regardless of whether
-  // the effect has the target property |aProperty| or not.
   AnimationPerformanceWarning::Type warningType;
-  if (aProperty == eCSSProperty_transform &&
-      isPlaying &&
-      aEffect.ShouldBlockAsyncTransformAnimations(aFrame, warningType)) {
+  if (animation->ShouldBeSynchronizedWithMainThread(aProperty, aFrame,
+                                                    warningType)) {
     EffectCompositor::SetPerformanceWarning(
       aFrame, aProperty,
       AnimationPerformanceWarning(warningType));
+    // For a given |aFrame|, we don't want some animations of |aProperty| to
+    // run on the compositor and others to run on the main thread, so if any
+    // need to be synchronized with the main thread, run them all there.
     return MatchForCompositor::NoAndBlockThisProperty;
   }
 
@@ -105,7 +101,9 @@ IsMatchForCompositor(const KeyframeEffectReadOnly& aEffect,
     return MatchForCompositor::No;
   }
 
-  return isPlaying ? MatchForCompositor::Yes : MatchForCompositor::IfNeeded;
+  return animation->IsPlaying()
+         ? MatchForCompositor::Yes
+         : MatchForCompositor::IfNeeded;
 }
 
 // Helper function to factor out the common logic from
@@ -127,6 +125,18 @@ FindAnimationsForCompositor(const nsIFrame* aFrame,
     return false;
   }
 
+  // First check for newly-started transform animations that should be
+  // synchronized with geometric animations. We need to do this before any
+  // other early returns (the one above is ok) since we can only check this
+  // state when the animation is newly-started.
+  if (aProperty == eCSSProperty_transform) {
+    PendingAnimationTracker* tracker =
+      aFrame->PresContext()->Document()->GetPendingAnimationTracker();
+    if (tracker) {
+      tracker->MarkAnimationsThatMightNeedSynchronization();
+    }
+  }
+
   // If the property will be added to the animations level of the cascade but
   // there is an !important rule for that property in the cascade then the
   // animation will not be applied since the !important rule overrides it.
@@ -190,6 +200,9 @@ FindAnimationsForCompositor(const nsIFrame* aFrame,
       IsMatchForCompositor(*effect, aProperty, aFrame);
 
     if (matchResult == MatchForCompositor::NoAndBlockThisProperty) {
+      // For a given |aFrame|, we don't want some animations of |aProperty| to
+      // run on the compositor and others to run on the main thread, so if any
+      // need to be synchronized with the main thread, run them all there.
       if (aMatches) {
         aMatches->Clear();
       }

dom/animation/KeyframeEffectReadOnly.cpp

@@ -1255,10 +1255,21 @@ KeyframeEffectReadOnly::GetPresContext() const
 KeyframeEffectReadOnly::IsGeometricProperty(
   const nsCSSPropertyID aProperty)
 {
+  MOZ_ASSERT(!nsCSSProps::IsShorthand(aProperty),
+             "Property should be a longhand property");
+
   switch (aProperty) {
     case eCSSProperty_bottom:
     case eCSSProperty_height:
     case eCSSProperty_left:
+    case eCSSProperty_margin_bottom:
+    case eCSSProperty_margin_left:
+    case eCSSProperty_margin_right:
+    case eCSSProperty_margin_top:
+    case eCSSProperty_padding_bottom:
+    case eCSSProperty_padding_left:
+    case eCSSProperty_padding_right:
+    case eCSSProperty_padding_top:
     case eCSSProperty_right:
     case eCSSProperty_top:
     case eCSSProperty_width:
@@ -1305,12 +1316,6 @@ KeyframeEffectReadOnly::ShouldBlockAsyncTransformAnimations(
   const nsIFrame* aFrame,
   AnimationPerformanceWarning::Type& aPerformanceWarning) const
 {
-  // We currently only expect this method to be called for effects whose
-  // animations are eligible for the compositor since, Animations that are
-  // paused, zero-duration, finished etc. should not block other animations from
-  // running on the compositor.
-  MOZ_ASSERT(mAnimation && mAnimation->IsPlaying());
-
   EffectSet* effectSet =
     EffectSet::GetEffectSet(mTarget->mElement, mTarget->mPseudoType);
   for (const AnimationProperty& property : mProperties) {
@@ -1347,6 +1352,18 @@ KeyframeEffectReadOnly::ShouldBlockAsyncTransformAnimations(
   return false;
 }
 
+bool
+KeyframeEffectReadOnly::HasGeometricProperties() const
+{
+  for (const AnimationProperty& property : mProperties) {
+    if (IsGeometricProperty(property.mProperty)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 void
 KeyframeEffectReadOnly::SetPerformanceWarning(
   nsCSSPropertyID aProperty,

dom/animation/KeyframeEffectReadOnly.h

@@ -316,6 +316,11 @@ public:
   bool ShouldBlockAsyncTransformAnimations(
     const nsIFrame* aFrame,
     AnimationPerformanceWarning::Type& aPerformanceWarning) const;
+  bool HasGeometricProperties() const;
+  bool AffectsGeometry() const override
+  {
+    return GetTarget() && HasGeometricProperties();
+  }
 
   nsIDocument* GetRenderedDocument() const;
   nsPresContext* GetPresContext() const;

dom/animation/PendingAnimationTracker.cpp

@@ -85,6 +85,10 @@ PendingAnimationTracker::TriggerPendingAnimationsOnNextTick(const TimeStamp&
 
   triggerAnimationsAtReadyTime(mPlayPendingSet);
   triggerAnimationsAtReadyTime(mPausePendingSet);
+
+  mHasPlayPendingGeometricAnimations = mPlayPendingSet.Count()
+                                       ? CheckState::Indeterminate
+                                       : CheckState::Absent;
 }
 
 void
@@ -99,6 +103,57 @@ PendingAnimationTracker::TriggerPendingAnimationsNow()
 
   triggerAndClearAnimations(mPlayPendingSet);
   triggerAndClearAnimations(mPausePendingSet);
+
+  mHasPlayPendingGeometricAnimations = CheckState::Absent;
+}
+
+void
+PendingAnimationTracker::MarkAnimationsThatMightNeedSynchronization()
+{
+  // We only ever set mHasPlayPendingGeometricAnimations to 'present' in
+  // HasPlayPendingGeometricAnimations(). So, if it is 'present' already,
+  // (i.e. before calling HasPlayPendingGeometricAnimations()) we can assume
+  // that this method has already been called for the current set of
+  // play-pending animations and it is not necessary to run again.
+  //
+  // We can't make the same assumption about 'absent', but if this method
+  // was already called and the result was 'absent', then this method is
+  // a no-op anyway so it's ok to run again.
+  //
+  // Note that *without* this optimization, starting animations would become
+  // O(n^2) in that case where each animation is on a different element and
+  // contains a compositor-animatable property since we would end up iterating
+  // over all animations in the play-pending set for each target element.
+  if (mHasPlayPendingGeometricAnimations == CheckState::Present) {
+    return;
+  }
+
+  if (!HasPlayPendingGeometricAnimations()) {
+    return;
+  }
+
+  for (auto iter = mPlayPendingSet.Iter(); !iter.Done(); iter.Next()) {
+    iter.Get()->GetKey()->NotifyGeometricAnimationsStartingThisFrame();
+  }
+}
+
+bool
+PendingAnimationTracker::HasPlayPendingGeometricAnimations()
+{
+  if (mHasPlayPendingGeometricAnimations != CheckState::Indeterminate) {
+    return mHasPlayPendingGeometricAnimations == CheckState::Present;
+  }
+
+  mHasPlayPendingGeometricAnimations = CheckState::Absent;
+  for (auto iter = mPlayPendingSet.ConstIter(); !iter.Done(); iter.Next()) {
+    auto animation = iter.Get()->GetKey();
+    if (animation->GetEffect() && animation->GetEffect()->AffectsGeometry()) {
+      mHasPlayPendingGeometricAnimations = CheckState::Present;
+      break;
+    }
+  }
+
+  return mHasPlayPendingGeometricAnimations == CheckState::Present;
 }
 
 void

dom/animation/PendingAnimationTracker.h

@@ -31,10 +31,12 @@ public:
     MOZ_ASSERT(!IsWaitingToPause(aAnimation),
                "Animation is already waiting to pause");
     AddPending(aAnimation, mPlayPendingSet);
+    mHasPlayPendingGeometricAnimations = CheckState::Indeterminate;
   }
   void RemovePlayPending(dom::Animation& aAnimation)
   {
     RemovePending(aAnimation, mPlayPendingSet);
+    mHasPlayPendingGeometricAnimations = CheckState::Indeterminate;
   }
   bool IsWaitingToPlay(const dom::Animation& aAnimation) const
   {
@@ -62,9 +64,17 @@ public:
     return mPlayPendingSet.Count() > 0 || mPausePendingSet.Count() > 0;
   }
 
+  /**
+   * Looks amongst the set of play-pending animations, and, if there are
+   * animations that affect geometric properties, notifies all play-pending
+   * animations so that they can be synchronized, if needed.
+   */
+  void MarkAnimationsThatMightNeedSynchronization();
+
 private:
   ~PendingAnimationTracker() { }
 
+  bool HasPlayPendingGeometricAnimations();
   void EnsurePaintIsScheduled();
 
   typedef nsTHashtable<nsRefPtrHashKey<dom::Animation>> AnimationSet;
@@ -77,6 +87,13 @@ private:
   AnimationSet mPlayPendingSet;
   AnimationSet mPausePendingSet;
   nsCOMPtr<nsIDocument> mDocument;
+
+  enum class CheckState {
+    Indeterminate,
+    Absent,
+    Present
+  };
+  CheckState mHasPlayPendingGeometricAnimations = CheckState::Indeterminate;
 };
 
 } // namespace mozilla

dom/animation/test/mozilla/file_discrete-animations.html

@@ -143,18 +143,6 @@ for (let property in gMozillaSpecificProperties) {
    + from + "' and '" + to + "' with keyframe easing");
 }
 
-function propertyToIDL(property) {
-  var prefixMatch = property.match(/^-(\w+)-/);
-  if (prefixMatch) {
-    var prefix = prefixMatch[1] === "moz" ? "Moz" : prefixMatch[1];
-    property = prefix + property.substring(prefixMatch[0].length - 1);
-  }
-  // https://drafts.csswg.org/cssom/#css-property-to-idl-attribute
-  return property.replace(/-([a-z])/gi, function(str, group) {
-    return group.toUpperCase();
-  });
-}
-
 function testAnimationSamples(animation, idlName, testSamples) {
   const target = animation.effect.target;
   testSamples.forEach(testSample => {

dom/animation/test/testcommon.js

@@ -137,6 +137,22 @@ function addStyle(t, rules) {
   }
 }
 
+/**
+ * Takes a CSS property (e.g. margin-left) and returns the equivalent IDL
+ * name (e.g. marginLeft).
+ */
+function propertyToIDL(property) {
+  var prefixMatch = property.match(/^-(\w+)-/);
+  if (prefixMatch) {
+    var prefix = prefixMatch[1] === 'moz' ? 'Moz' : prefixMatch[1];
+    property = prefix + property.substring(prefixMatch[0].length - 1);
+  }
+  // https://drafts.csswg.org/cssom/#css-property-to-idl-attribute
+  return property.replace(/-([a-z])/gi, function(str, group) {
+    return group.toUpperCase();
+  });
+}
+
 /**
  * Promise wrapper for requestAnimationFrame.
  */
@@ -146,6 +162,15 @@ function waitForFrame() {
   });
 }
 
+/**
+ * Promise wrapper for requestIdleCallback.
+ */
+function waitForIdleCallback() {
+  return new Promise(function(resolve, reject) {
+    window.requestIdleCallback(resolve);
+  });
+}
+
 /**
  * Returns a Promise that is resolved after the given number of consecutive
  * animation frames have occured (using requestAnimationFrame callbacks).
@@ -214,7 +239,7 @@ if (opener) {
 }
 
 /**
- * Return a new MutaionObserver which started observing |target| element
+ * Return a new MutationObserver which started observing |target| element
  * with { animations: true, subtree: |subtree| } option.
  * NOTE: This observer should be used only with takeRecords(). If any of
  * MutationRecords are observed in the callback of the MutationObserver,

dom/canvas/WebGL2ContextFramebuffers.cpp

@@ -105,30 +105,119 @@ WebGL2Context::GetFramebufferAttachmentParameter(JSContext* cx,
                                                            out_error);
 }
 
-// Map attachments intended for the default buffer, to attachments for a non-
-// default buffer.
+////
+
 static bool
-TranslateDefaultAttachments(const dom::Sequence<GLenum>& in, dom::Sequence<GLenum>* out)
+ValidateBackbufferAttachmentEnum(WebGLContext* webgl, const char* funcName,
+                                 GLenum attachment)
 {
-    for (size_t i = 0; i < in.Length(); i++) {
-        switch (in[i]) {
-            case LOCAL_GL_COLOR:
-                if (!out->AppendElement(LOCAL_GL_COLOR_ATTACHMENT0, fallible)) {
-                    return false;
-                }
-                break;
+    switch (attachment) {
+    case LOCAL_GL_COLOR:
+    case LOCAL_GL_DEPTH:
+    case LOCAL_GL_STENCIL:
+        return true;
 
-            case LOCAL_GL_DEPTH:
-                if (!out->AppendElement(LOCAL_GL_DEPTH_ATTACHMENT, fallible)) {
-                    return false;
-                }
-                break;
+    default:
+        webgl->ErrorInvalidEnum("%s: attachment: invalid enum value 0x%x.",
+                                funcName, attachment);
+        return false;
+    }
+}
 
-            case LOCAL_GL_STENCIL:
-                if (!out->AppendElement(LOCAL_GL_STENCIL_ATTACHMENT, fallible)) {
-                    return false;
+static bool
+ValidateFramebufferAttachmentEnum(WebGLContext* webgl, const char* funcName,
+                                  GLenum attachment)
+{
+    if (attachment >= LOCAL_GL_COLOR_ATTACHMENT0 &&
+        attachment <= webgl->LastColorAttachmentEnum())
+    {
+        return true;
+    }
+
+    switch (attachment) {
+    case LOCAL_GL_DEPTH_ATTACHMENT:
+    case LOCAL_GL_STENCIL_ATTACHMENT:
+    case LOCAL_GL_DEPTH_STENCIL_ATTACHMENT:
+        return true;
+
+    default:
+        webgl->ErrorInvalidEnum("%s: attachment: invalid enum value 0x%x.",
+                                funcName, attachment);
+        return false;
+    }
+}
+
+bool
+WebGLContext::ValidateInvalidateFramebuffer(const char* funcName, GLenum target,
+                                            const dom::Sequence<GLenum>& attachments,
+                                            ErrorResult* const out_rv,
+                                            std::vector<GLenum>* const scopedVector,
+                                            GLsizei* const out_glNumAttachments,
+                                            const GLenum** const out_glAttachments)
+{
+    if (IsContextLost())
+        return false;
+
+    gl->MakeCurrent();
+
+    if (!ValidateFramebufferTarget(target, funcName))
+        return false;
+
+    const WebGLFramebuffer* fb;
+    bool isDefaultFB;
+    switch (target) {
+    case LOCAL_GL_FRAMEBUFFER:
+    case LOCAL_GL_DRAW_FRAMEBUFFER:
+        fb = mBoundDrawFramebuffer;
+        isDefaultFB = gl->Screen()->IsDrawFramebufferDefault();
+        break;
+
+    case LOCAL_GL_READ_FRAMEBUFFER:
+        fb = mBoundReadFramebuffer;
+        isDefaultFB = gl->Screen()->IsReadFramebufferDefault();
+        break;
+
+    default:
+        MOZ_CRASH("GFX: Bad target.");
+    }
+
+    *out_glNumAttachments = attachments.Length();
+    *out_glAttachments = attachments.Elements();
+
+    if (fb) {
+        for (const auto& attachment : attachments) {
+            if (!ValidateFramebufferAttachmentEnum(this, funcName, attachment))
+                return false;
+        }
+    } else {
+        for (const auto& attachment : attachments) {
+            if (!ValidateBackbufferAttachmentEnum(this, funcName, attachment))
+                return false;
+        }
+
+        if (!isDefaultFB) {
+            MOZ_ASSERT(scopedVector->empty());
+            scopedVector->reserve(attachments.Length());
+            for (const auto& attachment : attachments) {
+                switch (attachment) {
+                case LOCAL_GL_COLOR:
+                    scopedVector->push_back(LOCAL_GL_COLOR_ATTACHMENT0);
+                    break;
+
+                case LOCAL_GL_DEPTH:
+                    scopedVector->push_back(LOCAL_GL_DEPTH_ATTACHMENT);
+                    break;
+
+                case LOCAL_GL_STENCIL:
+                    scopedVector->push_back(LOCAL_GL_STENCIL_ATTACHMENT);
+                    break;
+
+                default:
+                    MOZ_CRASH();
                 }
-                break;
+            }
+            *out_glNumAttachments = scopedVector->size();
+            *out_glAttachments = scopedVector->data();
         }
     }
 
@@ -142,59 +231,27 @@ WebGL2Context::InvalidateFramebuffer(GLenum target,
 {
     const char funcName[] = "invalidateSubFramebuffer";
 
-    if (IsContextLost())
+    std::vector<GLenum> scopedVector;
+    GLsizei glNumAttachments;
+    const GLenum* glAttachments;
+    if (!ValidateInvalidateFramebuffer(funcName, target, attachments, &rv, &scopedVector,
+                                       &glNumAttachments, &glAttachments))
+    {
         return;
-
-    MakeContextCurrent();
-
-    if (!ValidateFramebufferTarget(target, funcName))
-        return;
-
-    const WebGLFramebuffer* fb;
-    bool isDefaultFB;
-    switch (target) {
-    case LOCAL_GL_FRAMEBUFFER:
-    case LOCAL_GL_DRAW_FRAMEBUFFER:
-        fb = mBoundDrawFramebuffer;
-        isDefaultFB = gl->Screen()->IsDrawFramebufferDefault();
-        break;
-
-    case LOCAL_GL_READ_FRAMEBUFFER:
-        fb = mBoundReadFramebuffer;
-        isDefaultFB = gl->Screen()->IsReadFramebufferDefault();
-        break;
-
-    default:
-        MOZ_CRASH("GFX: Bad target.");
     }
 
-    const bool badColorAttachmentIsInvalidOp = true;
-    for (size_t i = 0; i < attachments.Length(); i++) {
-        if (!ValidateFramebufferAttachment(fb, attachments[i], funcName,
-                                           badColorAttachmentIsInvalidOp))
-        {
-            return;
-        }
-    }
+    ////
 
-    // InvalidateFramebuffer is a hint to the driver. Should be OK to
-    // skip calls if not supported, for example by OSX 10.9 GL
-    // drivers.
-    if (!gl->IsSupported(gl::GLFeature::invalidate_framebuffer))
+    // Some drivers (like OSX 10.9 GL) just don't support invalidate_framebuffer.
+    const bool useFBInvalidation = (mAllowFBInvalidation &&
+                                    gl->IsSupported(gl::GLFeature::invalidate_framebuffer));
+    if (useFBInvalidation) {
+        gl->fInvalidateFramebuffer(target, glNumAttachments, glAttachments);
         return;
-
-    if (!fb && !isDefaultFB) {
-        dom::Sequence<GLenum> tmpAttachments;
-        if (!TranslateDefaultAttachments(attachments, &tmpAttachments)) {
-            rv.Throw(NS_ERROR_OUT_OF_MEMORY);
-            return;
-        }
-
-        gl->fInvalidateFramebuffer(target, tmpAttachments.Length(),
-                                   tmpAttachments.Elements());
-    } else {
-        gl->fInvalidateFramebuffer(target, attachments.Length(), attachments.Elements());
     }
+
+    // Use clear instead?
+    // No-op for now.
 }
 
 void
@@ -204,65 +261,34 @@ WebGL2Context::InvalidateSubFramebuffer(GLenum target, const dom::Sequence<GLenu
 {
     const char funcName[] = "invalidateSubFramebuffer";
 
-    if (IsContextLost())
-        return;
-
-    MakeContextCurrent();
-
-    if (!ValidateFramebufferTarget(target, funcName))
-        return;
-
-    if (width < 0 || height < 0) {
-        ErrorInvalidValue("%s: width and height must be >= 0.", funcName);
+    std::vector<GLenum> scopedVector;
+    GLsizei glNumAttachments;
+    const GLenum* glAttachments;
+    if (!ValidateInvalidateFramebuffer(funcName, target, attachments, &rv, &scopedVector,
+                                       &glNumAttachments, &glAttachments))
+    {
         return;
     }
 
-    const WebGLFramebuffer* fb;
-    bool isDefaultFB;
-    switch (target) {
-    case LOCAL_GL_FRAMEBUFFER:
-    case LOCAL_GL_DRAW_FRAMEBUFFER:
-        fb = mBoundDrawFramebuffer;
-        isDefaultFB = gl->Screen()->IsDrawFramebufferDefault();
-        break;
-
-    case LOCAL_GL_READ_FRAMEBUFFER:
-        fb = mBoundReadFramebuffer;
-        isDefaultFB = gl->Screen()->IsReadFramebufferDefault();
-        break;
-
-    default:
-        MOZ_CRASH("GFX: Bad target.");
-    }
-
-    const bool badColorAttachmentIsInvalidOp = true;
-    for (size_t i = 0; i < attachments.Length(); i++) {
-        if (!ValidateFramebufferAttachment(fb, attachments[i], funcName,
-                                           badColorAttachmentIsInvalidOp))
-        {
-            return;
-        }
-    }
-
-    // InvalidateFramebuffer is a hint to the driver. Should be OK to
-    // skip calls if not supported, for example by OSX 10.9 GL
-    // drivers.
-    if (!gl->IsSupported(gl::GLFeature::invalidate_framebuffer))
+    if (!ValidateNonNegative(funcName, "width", width) ||
+        !ValidateNonNegative(funcName, "height", height))
+    {
         return;
-
-    if (!fb && !isDefaultFB) {
-        dom::Sequence<GLenum> tmpAttachments;
-        if (!TranslateDefaultAttachments(attachments, &tmpAttachments)) {
-            rv.Throw(NS_ERROR_OUT_OF_MEMORY);
-            return;
-        }
-
-        gl->fInvalidateSubFramebuffer(target, tmpAttachments.Length(),
-                                      tmpAttachments.Elements(), x, y, width, height);
-    } else {
-        gl->fInvalidateSubFramebuffer(target, attachments.Length(),
-                                      attachments.Elements(), x, y, width, height);
     }
+
+    ////
+
+    // Some drivers (like OSX 10.9 GL) just don't support invalidate_framebuffer.
+    const bool useFBInvalidation = (mAllowFBInvalidation &&
+                                    gl->IsSupported(gl::GLFeature::invalidate_framebuffer));
+    if (useFBInvalidation) {
+        gl->fInvalidateSubFramebuffer(target, glNumAttachments, glAttachments, x, y,
+                                      width, height);
+        return;
+    }
+
+    // Use clear instead?
+    // No-op for now.
 }
 
 void

dom/canvas/WebGLContext.cpp

@@ -126,6 +126,7 @@ WebGLContext::WebGLContext()
     , mNeedsFakeNoDepth(false)
     , mNeedsFakeNoStencil(false)
     , mNeedsEmulatedLoneDepthStencil(false)
+    , mAllowFBInvalidation(gfxPrefs::WebGLFBInvalidation())
 {
     mGeneration = 0;
     mInvalidated = false;

dom/canvas/WebGLContext.h

@@ -536,11 +536,6 @@ public:
                               GLenum texImageTarget, WebGLTexture* tex,
                               GLint level);
 
-    // Framebuffer validation
-    bool ValidateFramebufferAttachment(const WebGLFramebuffer* fb, GLenum attachment,
-                                       const char* funcName,
-                                       bool badColorAttachmentIsInvalidOp = false);
-
     void FrontFace(GLenum mode);
     already_AddRefed<WebGLActiveInfo> GetActiveAttrib(const WebGLProgram& prog,
                                                       GLuint index);
@@ -1687,6 +1682,12 @@ protected:
     RefPtr<const webgl::LinkedProgramInfo> mActiveProgramLinkInfo;
 
     bool ValidateFramebufferTarget(GLenum target, const char* const info);
+    bool ValidateInvalidateFramebuffer(const char* funcName, GLenum target,
+                                       const dom::Sequence<GLenum>& attachments,
+                                       ErrorResult* const out_rv,
+                                       std::vector<GLenum>* const scopedVector,
+                                       GLsizei* const out_glNumAttachments,
+                                       const GLenum** const out_glAttachments);
 
     WebGLRefPtr<WebGLFramebuffer> mBoundDrawFramebuffer;
     WebGLRefPtr<WebGLFramebuffer> mBoundReadFramebuffer;
@@ -1828,6 +1829,8 @@ protected:
     bool mNeedsFakeNoStencil;
     bool mNeedsEmulatedLoneDepthStencil;
 
+    const bool mAllowFBInvalidation;
+
     bool Has64BitTimestamps() const;
 
     struct ScopedMaskWorkaround {

dom/canvas/WebGLContextValidate.cpp

@@ -196,50 +196,6 @@ WebGLContext::ValidateDrawModeEnum(GLenum mode, const char* info)
     }
 }
 
-bool
-WebGLContext::ValidateFramebufferAttachment(const WebGLFramebuffer* fb, GLenum attachment,
-                                            const char* funcName,
-                                            bool badColorAttachmentIsInvalidOp)
-{
-    if (!fb) {
-        switch (attachment) {
-        case LOCAL_GL_COLOR:
-        case LOCAL_GL_DEPTH:
-        case LOCAL_GL_STENCIL:
-            return true;
-
-        default:
-            ErrorInvalidEnum("%s: attachment: invalid enum value 0x%x.",
-                             funcName, attachment);
-            return false;
-        }
-    }
-
-    if (attachment == LOCAL_GL_DEPTH_ATTACHMENT ||
-        attachment == LOCAL_GL_STENCIL_ATTACHMENT ||
-        attachment == LOCAL_GL_DEPTH_STENCIL_ATTACHMENT)
-    {
-        return true;
-    }
-
-    if (attachment >= LOCAL_GL_COLOR_ATTACHMENT0 &&
-        attachment <= LastColorAttachmentEnum())
-    {
-        return true;
-    }
-
-    if (badColorAttachmentIsInvalidOp &&
-        attachment >= LOCAL_GL_COLOR_ATTACHMENT0)
-    {
-        const uint32_t offset = attachment - LOCAL_GL_COLOR_ATTACHMENT0;
-        ErrorInvalidOperation("%s: Bad color attachment: COLOR_ATTACHMENT%u. (0x%04x)",
-                              funcName, offset, attachment);
-    } else {
-        ErrorInvalidEnum("%s: attachment: Bad attachment 0x%x.", funcName, attachment);
-    }
-    return false;
-}
-
 bool
 WebGLContext::ValidateUniformLocation(WebGLUniformLocation* loc, const char* funcName)
 {

dom/canvas/test/webgl-conf/checkout/conformance2/renderbuffers/invalidate-framebuffer.html

@@ -85,8 +85,8 @@ if (!gl) {
 
   // in real world case, after some drawing, we can invalidate the depth attachment of the bound fbo
   invalidation(gl.FRAMEBUFFER, gl.DEPTH_ATTACHMENT, gl.STENCIL_ATTACHMENT);
- 
-  // set up framebuffer to blit to and read back from 
+
+  // set up framebuffer to blit to and read back from
   var fb = gl.createFramebuffer();
   gl.bindFramebuffer(gl.FRAMEBUFFER, fb);
   var buffer = gl.createRenderbuffer();
@@ -102,16 +102,16 @@ if (!gl) {
   gl.blitFramebuffer(0, 0, canvas.width, canvas.height, 0, 0, canvas.width, canvas.height, gl.COLOR_BUFFER_BIT, gl.NEAREST);
   wtu.glErrorShouldBe(gl, gl.NO_ERROR,
       "should be no errors after bliting framebuffer.");
- 
+
   // invalidate the multi-sampled color attachment of the bound read framebuffer after blitFramebuffer.
   invalidation(gl.READ_FRAMEBUFFER, gl.COLOR_ATTACHMENT0, gl.DEPTH_ATTACHMENT);
 
   var maxColorAttachments = gl.getParameter(gl.MAX_COLOR_ATTACHMENTS);
   gl.invalidateSubFramebuffer(gl.READ_FRAMEBUFFER, [gl.COLOR_ATTACHMENT0 + maxColorAttachments], 5, 5, 10, 10);
-  wtu.glErrorShouldBe(gl, gl.INVALID_OPERATION,
+  wtu.glErrorShouldBe(gl, [gl.INVALID_OPERATION, gl.INVALID_ENUM],
       "calling invalidateSubFramebuffer to invalidate a COLOR_ATTACHMENT that exceeds MAX_COLOR_ATTACHMENT should generate INVALID_OPERATION.");
   gl.invalidateFramebuffer(gl.READ_FRAMEBUFFER, [gl.COLOR_ATTACHMENT0 + maxColorAttachments]);
-  wtu.glErrorShouldBe(gl, gl.INVALID_OPERATION,
+  wtu.glErrorShouldBe(gl, [gl.INVALID_OPERATION, gl.INVALID_ENUM],
       "calling invalidateFramebuffer to invalidate a COLOR_ATTACHMENT that exceeds MAX_COLOR_ATTACHMENT should generate INVALID_OPERATION.");
 
   // invalidate the default framebuffer

dom/ipc/ContentChild.cpp

@@ -1506,20 +1506,6 @@ ContentChild::RecvSetProcessSandbox(const MaybeFileDesc& aBroker)
   return IPC_OK();
 }
 
-mozilla::ipc::IPCResult
-ContentChild::RecvNotifyLayerAllocated(const dom::TabId& aTabId, const uint64_t& aLayersId)
-{
-  if (!CompositorBridgeChild::Get()->IPCOpen()) {
-    return IPC_OK();
-  }
-
-  // Note: sending the constructor could fail, but we do not propagate the
-  // error back since the GPU process is fallible.
-  APZChild* apz = ContentProcessController::Create(aTabId);
-  CompositorBridgeChild::Get()->SendPAPZConstructor(apz, aLayersId);
-  return IPC_OK();
-}
-
 mozilla::ipc::IPCResult
 ContentChild::RecvBidiKeyboardNotify(const bool& aIsLangRTL,
                                      const bool& aHaveBidiKeyboards)

dom/ipc/ContentChild.h

@@ -373,8 +373,6 @@ public:
   virtual mozilla::ipc::IPCResult RecvSetConnectivity(const bool& connectivity) override;
   virtual mozilla::ipc::IPCResult RecvSetCaptivePortalState(const int32_t& state) override;
 
-  virtual mozilla::ipc::IPCResult RecvNotifyLayerAllocated(const dom::TabId& aTabId, const uint64_t& aLayersId) override;
-
   virtual mozilla::ipc::IPCResult RecvBidiKeyboardNotify(const bool& isLangRTL,
                                                          const bool& haveBidiKeyboards) override;
 

dom/ipc/ContentParent.cpp

@@ -1381,11 +1381,7 @@ ContentParent::AllocateLayerTreeId(ContentParent* aContent,
 
   gpu->MapLayerTreeId(*aId, aContent->OtherPid());
 
-  if (!gfxPlatform::AsyncPanZoomEnabled()) {
-    return true;
-  }
-
-  return aContent->SendNotifyLayerAllocated(aTabId, *aId);
+  return true;
 }
 
 mozilla::ipc::IPCResult

dom/ipc/PContent.ipdl

@@ -441,11 +441,6 @@ child:
     async PMemoryReportRequest(uint32_t generation, bool anonymize,
                                bool minimizeMemoryUsage, MaybeFileDesc DMDFile);
 
-    /**
-     * Sent to notify that aTabId has been allocated aLayersId
-     */
-    async NotifyLayerAllocated(TabId aTabId, uint64_t aLayersId);
-
     /**
      * Communication between the PuppetBidiKeyboard and the actual
      * BidiKeyboard hosted by the parent

dom/ipc/TabChild.cpp

@@ -27,10 +27,12 @@
 #include "mozilla/layers/APZChild.h"
 #include "mozilla/layers/APZCCallbackHelper.h"
 #include "mozilla/layers/APZCTreeManager.h"
+#include "mozilla/layers/APZCTreeManagerChild.h"
 #include "mozilla/layers/APZEventState.h"
 #include "mozilla/layers/ContentProcessController.h"
 #include "mozilla/layers/CompositorBridgeChild.h"
 #include "mozilla/layers/DoubleTapToZoom.h"
+#include "mozilla/layers/IAPZCTreeManager.h"
 #include "mozilla/layers/ImageBridgeChild.h"
 #include "mozilla/layers/InputAPZContext.h"
 #include "mozilla/layers/ShadowLayers.h"
@@ -2537,7 +2539,7 @@ TabChild::InitRenderingState(const TextureFactoryIdentifier& aTextureFactoryIden
       mLayersId = aLayersId;
     }
 
-    mApzcTreeManager = CompositorBridgeChild::Get()->GetAPZCTreeManager(mLayersId);
+    InitAPZState();
 
     nsCOMPtr<nsIObserverService> observerService =
         mozilla::services::GetObserverService();
@@ -2549,6 +2551,28 @@ TabChild::InitRenderingState(const TextureFactoryIdentifier& aTextureFactoryIden
     }
 }
 
+void
+TabChild::InitAPZState()
+{
+  auto cbc = CompositorBridgeChild::Get();
+
+  if (!cbc->GetAPZEnabled(mLayersId)) {
+    return;
+  }
+
+  // Initialize the ApzcTreeManager. This takes multiple casts because of ugly multiple inheritance.
+  PAPZCTreeManagerChild* baseProtocol = cbc->SendPAPZCTreeManagerConstructor(mLayersId);
+  APZCTreeManagerChild* derivedProtocol = static_cast<APZCTreeManagerChild*>(baseProtocol);
+
+  mApzcTreeManager = RefPtr<IAPZCTreeManager>(derivedProtocol);
+
+  // Initialize the GeckoContentController for this tab. We don't hold a reference because we don't need it.
+  // The ContentProcessController will hold a reference to the tab, and will be destroyed by the compositor or ipdl
+  // during destruction.
+  RefPtr<GeckoContentController> contentController = new ContentProcessController(this);
+  cbc->SendPAPZConstructor(new APZChild(contentController), mLayersId);
+}
+
 void
 TabChild::GetDPI(float* aDPI)
 {
@@ -2892,11 +2916,7 @@ TabChild::ReinitRendering()
   ShadowLayerForwarder* lf = lm->AsShadowForwarder();
   lf->IdentifyTextureHost(mTextureFactoryIdentifier);
 
-  mApzcTreeManager = CompositorBridgeChild::Get()->GetAPZCTreeManager(mLayersId);
-  if (mApzcTreeManager) {
-    APZChild* apz = ContentProcessController::Create(mUniqueId);
-    CompositorBridgeChild::Get()->SendPAPZConstructor(apz, mLayersId);
-  }
+  InitAPZState();
 
   nsCOMPtr<nsIDocument> doc(GetDocument());
   doc->NotifyLayerManagerRecreated();

dom/ipc/TabChild.h

@@ -722,6 +722,7 @@ private:
   void InitRenderingState(const TextureFactoryIdentifier& aTextureFactoryIdentifier,
                           const uint64_t& aLayersId,
                           PRenderFrameChild* aRenderFrame);
+  void InitAPZState();
 
   void DestroyWindow();
 
@@ -786,9 +787,6 @@ private:
   AutoTArray<bool, NUMBER_OF_AUDIO_CHANNELS> mAudioChannelsActive;
 
   RefPtr<layers::IAPZCTreeManager> mApzcTreeManager;
-  // APZChild clears this pointer from its destructor, so it shouldn't be a
-  // dangling pointer.
-  layers::APZChild* mAPZChild;
 
   // The most recently seen layer observer epoch in RecvSetDocShellIsActive.
   uint64_t mLayerObserverEpoch;

dom/locales/en-US/chrome/layout/layout_errors.properties

@@ -28,11 +28,13 @@ CompositorAnimationWarningTransformBackfaceVisibilityHidden=Animations of ‘bac
 CompositorAnimationWarningTransformPreserve3D=Animations of ‘transform-style: preserve-3d’ transforms cannot be run on the compositor
 ## LOCALIZATION NOTE(CompositorAnimationWarningTransformSVG,
 ##                   CompositorAnimationWarningTransformWithGeometricProperties,
+##                   CompositorAnimationWarningTransformWithSyncGeometricAnimations,
 ##                   CompositorAnimationWarningTransformFrameInactive,
 ##                   CompositorAnimationWarningOpacityFrameInactive):
 ## 'transform' and 'opacity' mean CSS property names, don't translate it.
 CompositorAnimationWarningTransformSVG=Animations of ‘transform’ on elements with SVG transforms cannot be run on the compositor
 CompositorAnimationWarningTransformWithGeometricProperties=Animations of ‘transform’ cannot be run on the compositor when geometric properties are animated on the same element at the same time
+CompositorAnimationWarningTransformWithSyncGeometricAnimations=Animation of ‘transform’ cannot be run on the compositor because it should be synchronized with animations of geometric properties that started at the same time
 CompositorAnimationWarningTransformFrameInactive=Animation cannot be run on the compositor because the frame was not marked active for ‘transform’ animation
 CompositorAnimationWarningOpacityFrameInactive=Animation cannot be run on the compositor because the frame was not marked active for ‘opacity’ animation
 CompositorAnimationWarningHasRenderingObserver=Animation cannot be run on the compositor because the element has rendering observers (-moz-element or SVG clipping/masking)

gfx/layers/apz/util/ContentProcessController.cpp

@@ -15,112 +15,12 @@
 namespace mozilla {
 namespace layers {
 
-/**
- * There are cases where we try to create the APZChild before the corresponding
- * TabChild has been created, we use an observer for the "tab-child-created"
- * topic to set the TabChild in the APZChild when it has been created.
- */
-class TabChildCreatedObserver : public nsIObserver
+ContentProcessController::ContentProcessController(const RefPtr<dom::TabChild>& aBrowser)
+    : mBrowser(aBrowser)
 {
-public:
-  TabChildCreatedObserver(ContentProcessController* aController, const dom::TabId& aTabId)
-    : mController(aController),
-      mTabId(aTabId)
-  {}
-
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSIOBSERVER
-
-private:
-  virtual ~TabChildCreatedObserver()
-  {}
-
-  // TabChildCreatedObserver is owned by mController, and mController outlives its
-  // TabChildCreatedObserver, so the raw pointer is fine.
-  ContentProcessController* mController;
-  dom::TabId mTabId;
-};
-
-NS_IMPL_ISUPPORTS(TabChildCreatedObserver, nsIObserver)
-
-NS_IMETHODIMP
-TabChildCreatedObserver::Observe(nsISupports* aSubject,
-                                 const char* aTopic,
-                                 const char16_t* aData)
-{
-  MOZ_ASSERT(strcmp(aTopic, "tab-child-created") == 0);
-
-  nsCOMPtr<nsITabChild> tabChild(do_QueryInterface(aSubject));
-  NS_ENSURE_TRUE(tabChild, NS_ERROR_FAILURE);
-
-  dom::TabChild* browser = static_cast<dom::TabChild*>(tabChild.get());
-
-  if (browser->GetTabId() == mTabId) {
-    mController->SetBrowser(browser);
-  }
-  return NS_OK;
+  MOZ_ASSERT(mBrowser);
 }
 
-APZChild*
-ContentProcessController::Create(const dom::TabId& aTabId)
-{
-  RefPtr<dom::TabChild> browser = dom::TabChild::FindTabChild(aTabId);
-
-  ContentProcessController* controller = new ContentProcessController();
-
-  nsAutoPtr<APZChild> apz(new APZChild(controller));
-
-  if (browser) {
-
-    controller->SetBrowser(browser);
-
-  } else {
-
-    RefPtr<TabChildCreatedObserver> observer =
-      new TabChildCreatedObserver(controller, aTabId);
-    nsCOMPtr<nsIObserverService> os = services::GetObserverService();
-    if (!os ||
-        NS_FAILED(os->AddObserver(observer, "tab-child-created", false))) {
-      return nullptr;
-    }
-    controller->SetObserver(observer);
-
-  }
-
-  return apz.forget();
-}
-
-ContentProcessController::ContentProcessController()
-    : mBrowser(nullptr)
-{
-}
-ContentProcessController::~ContentProcessController()
-{
-  if (mObserver) {
-    nsCOMPtr<nsIObserverService> os = services::GetObserverService();
-    os->RemoveObserver(mObserver, "tab-child-created");
-  }
-}
-
-void
-ContentProcessController::SetObserver(nsIObserver* aObserver)
-{
-  MOZ_ASSERT(!mBrowser);
-  mObserver = aObserver;
-}
-
-void
-ContentProcessController::SetBrowser(dom::TabChild* aBrowser)
-{
-  MOZ_ASSERT(!mBrowser);
-  mBrowser = aBrowser;
-
-  if (mObserver) {
-    nsCOMPtr<nsIObserverService> os = services::GetObserverService();
-    os->RemoveObserver(mObserver, "tab-child-created");
-    mObserver = nullptr;
-  }
-}
 void
 ContentProcessController::RequestContentRepaint(const FrameMetrics& aFrameMetrics)
 {

gfx/layers/apz/util/ContentProcessController.h

@@ -36,13 +36,7 @@ class ContentProcessController final
       : public GeckoContentController
 {
 public:
-  ~ContentProcessController();
-
-  static APZChild* Create(const dom::TabId& aTabId);
-
-  // ContentProcessController
-
-  void SetBrowser(dom::TabChild* aBrowser);
+  explicit ContentProcessController(const RefPtr<dom::TabChild>& aBrowser);
 
   // GeckoContentController
 
@@ -75,12 +69,7 @@ public:
   void DispatchToRepaintThread(already_AddRefed<Runnable> aTask) override;
 
 private:
-  ContentProcessController();
-
-  void SetObserver(nsIObserver* aObserver);
-
   RefPtr<dom::TabChild> mBrowser;
-  RefPtr<nsIObserver> mObserver;
 };
 
 } // namespace layers

gfx/layers/ipc/CompositorBridgeChild.cpp

@@ -1092,23 +1092,12 @@ CompositorBridgeChild::DeallocPCompositorWidgetChild(PCompositorWidgetChild* aAc
 #endif
 }
 
-RefPtr<IAPZCTreeManager>
-CompositorBridgeChild::GetAPZCTreeManager(uint64_t aLayerTreeId)
+bool
+CompositorBridgeChild::GetAPZEnabled(uint64_t aLayerTreeId)
 {
-  bool apzEnabled = false;
-  Unused << SendAsyncPanZoomEnabled(aLayerTreeId, &apzEnabled);
-
-  if (!apzEnabled) {
-    return nullptr;
-  }
-
-  PAPZCTreeManagerChild* child = SendPAPZCTreeManagerConstructor(aLayerTreeId);
-  if (!child) {
-    return nullptr;
-  }
-  APZCTreeManagerChild* parent = static_cast<APZCTreeManagerChild*>(child);
-
-  return RefPtr<IAPZCTreeManager>(parent);
+  bool result = false;
+  Unused << SendAsyncPanZoomEnabled(aLayerTreeId, &result);
+  return result;
 }
 
 PAPZCTreeManagerChild*

gfx/layers/ipc/CompositorBridgeChild.h

@@ -220,7 +220,7 @@ public:
   PCompositorWidgetChild* AllocPCompositorWidgetChild(const CompositorWidgetInitData& aInitData) override;
   bool DeallocPCompositorWidgetChild(PCompositorWidgetChild* aActor) override;
 
-  RefPtr<IAPZCTreeManager> GetAPZCTreeManager(uint64_t aLayerTreeId);
+  bool GetAPZEnabled(uint64_t aLayerTreeId);
 
   PAPZCTreeManagerChild* AllocPAPZCTreeManagerChild(const uint64_t& aLayersId) override;
   bool DeallocPAPZCTreeManagerChild(PAPZCTreeManagerChild* aActor) override;

gfx/thebes/gfxPrefs.h

@@ -608,6 +608,7 @@ private:
   DECL_GFX_PREF(Live, "webgl.prefer-16bpp",                    WebGLPrefer16bpp, bool, false);
   DECL_GFX_PREF(Live, "webgl.restore-context-when-visible",    WebGLRestoreWhenVisible, bool, true);
   DECL_GFX_PREF(Live, "webgl.allow-immediate-queries",         WebGLImmediateQueries, bool, false);
+  DECL_GFX_PREF(Live, "webgl.allow-fb-invalidation",           WebGLFBInvalidation, bool, false);
 
   DECL_GFX_PREF(Live, "webgl.webgl2-compat-mode",              WebGL2CompatMode, bool, false);
 

js/public/ProfilingFrameIterator.h

@@ -55,8 +55,6 @@ class JS_PUBLIC_API(ProfilingFrameIterator)
     // activation (if any) comes around.
     void* savedPrevJitTop_;
 
-    JS::AutoCheckCannotGC nogc_;
-
     static const unsigned StorageSpace = 8 * sizeof(void*);
     mozilla::AlignedStorage<StorageSpace> storage_;
     js::wasm::ProfilingFrameIterator& wasmIter() {
@@ -140,7 +138,7 @@ class JS_PUBLIC_API(ProfilingFrameIterator)
     void iteratorConstruct();
     void iteratorDestroy();
     bool iteratorDone();
-};
+} JS_HAZ_GC_INVALIDATED;
 
 JS_FRIEND_API(bool)
 IsProfilingEnabledForContext(JSContext* cx);

js/src/gc/GCRuntime.h

@@ -731,13 +731,18 @@ class GCRuntime
 #endif // DEBUG
 
     bool isInsideUnsafeRegion() { return inUnsafeRegion != 0; }
-    void enterUnsafeRegion() { ++inUnsafeRegion; }
+    void enterUnsafeRegion() {
+        MOZ_ASSERT(CurrentThreadCanAccessRuntime(rt));
+        ++inUnsafeRegion;
+    }
     void leaveUnsafeRegion() {
+        MOZ_ASSERT(CurrentThreadCanAccessRuntime(rt));
         MOZ_ASSERT(inUnsafeRegion > 0);
         --inUnsafeRegion;
     }
 
     void verifyIsSafeToGC() {
+        MOZ_ASSERT(CurrentThreadCanAccessRuntime(rt));
         MOZ_DIAGNOSTIC_ASSERT(!isInsideUnsafeRegion(),
                               "[AutoAssertNoGC] possible GC in GC-unsafe region");
     }

js/src/gc/Verifier.cpp

@@ -175,7 +175,7 @@ gc::GCRuntime::startVerifyPreBarriers()
     if (verifyPreData || isIncrementalGCInProgress())
         return;
 
-    if (IsIncrementalGCUnsafe(rt) != AbortReason::None)
+    if (IsIncrementalGCUnsafe(rt) != AbortReason::None || rt->keepAtoms())
         return;
 
     number++;
@@ -342,7 +342,7 @@ gc::GCRuntime::endVerifyPreBarriers()
     verifyPreData = nullptr;
     incrementalState = State::NotActive;
 
-    if (!compartmentCreated && IsIncrementalGCUnsafe(rt) == AbortReason::None) {
+    if (!compartmentCreated && IsIncrementalGCUnsafe(rt) == AbortReason::None && !rt->keepAtoms()) {
         CheckEdgeTracer cetrc(rt);
 
         /* Start after the roots. */

js/src/jsgc.cpp

@@ -3801,14 +3801,22 @@ GCRuntime::beginMarkPhase(JS::gcreason::Reason reason, AutoLockForExclusiveAcces
     }
 
     /*
-     * Atoms are not in the cross-compartment map. So if there are any
-     * zones that are not being collected, we are not allowed to collect
-     * atoms. Otherwise, the non-collected zones could contain pointers
-     * to atoms that we would miss.
+     * Atoms are not in the cross-compartment map. If there are any zones that
+     * are not being collected then we cannot collect the atoms zone, otherwise
+     * the non-collected zones could contain pointers to atoms that we would
+     * miss.
      *
-     * keepAtoms() will only change on the main thread, which we are currently
-     * on. If the value of keepAtoms() changes between GC slices, then we'll
-     * cancel the incremental GC. See IsIncrementalGCSafe.
+     * If keepAtoms() is true then either an instance of AutoKeepAtoms is
+     * currently on the stack or parsing is currently happening on another
+     * thread. In either case we don't have information about which atoms are
+     * roots, so we must skip collecting atoms.
+     *
+     * Note that only affects the first slice of an incremental GC since root
+     * marking is completed before we return to the mutator.
+     *
+     * Off-main-thread parsing is inhibited after the start of GC which prevents
+     * races between creating atoms during parsing and sweeping atoms on the
+     * main thread.
      */
     if (isFull && !rt->keepAtoms()) {
         Zone* atomsZone = rt->atomsCompartment(lock)->zone();
@@ -5993,9 +6001,6 @@ gc::IsIncrementalGCUnsafe(JSRuntime* rt)
 {
     MOZ_ASSERT(!rt->mainThread.suppressGC);
 
-    if (rt->keepAtoms())
-        return gc::AbortReason::KeepAtomsSet;
-
     if (!rt->gc.isIncrementalGCAllowed())
         return gc::AbortReason::IncrementalDisabled;
 
@@ -6167,6 +6172,10 @@ GCRuntime::gcCycle(bool nonincrementalByAPI, SliceBudget& budget, JS::gcreason::
 
     State prevState = incrementalState;
 
+    // We don't allow off-main-thread parsing to start while we're doing an
+    // incremental GC.
+    MOZ_ASSERT_IF(rt->activeGCInAtomsZone(), !rt->exclusiveThreadsPresent());
+
     if (nonincrementalByAPI) {
         // Reset any in progress incremental GC if this was triggered via the
         // API. This isn't required for correctness, but sometimes during tests

js/src/jsgc.h

@@ -55,7 +55,7 @@ enum class State {
     D(None) \
     D(NonIncrementalRequested) \
     D(AbortRequested) \
-    D(KeepAtomsSet) \
+    D(Unused1) \
     D(IncrementalDisabled) \
     D(ModeChange) \
     D(MallocBytesTrigger) \

js/src/vm/Stack.cpp

@@ -1723,8 +1723,7 @@ JS::ProfilingFrameIterator::ProfilingFrameIterator(JSContext* cx, const Register
   : rt_(cx),
     sampleBufferGen_(sampleBufferGen),
     activation_(nullptr),
-    savedPrevJitTop_(nullptr),
-    nogc_(cx)
+    savedPrevJitTop_(nullptr)
 {
     if (!cx->spsProfiler.enabled())
         MOZ_CRASH("ProfilingFrameIterator called when spsProfiler not enabled for runtime.");

layout/xul/nsXULPopupManager.cpp

@@ -910,8 +910,8 @@ nsXULPopupManager::ShowPopupCallback(nsIContent* aPopup,
   aPopup->GetAttr(kNameSpaceID_None, nsGkAtoms::ignorekeys, ignorekeys);
   if (ignorekeys.EqualsLiteral("true")) {
     item->SetIgnoreKeys(eIgnoreKeys_True);
-  } else if (ignorekeys.EqualsLiteral("handled")) {
-    item->SetIgnoreKeys(eIgnoreKeys_Handled);
+  } else if (ignorekeys.EqualsLiteral("shortcuts")) {
+    item->SetIgnoreKeys(eIgnoreKeys_Shortcuts);
   }
 
   if (ismenu) {
@@ -2631,7 +2631,7 @@ nsXULPopupManager::KeyUp(nsIDOMKeyEvent* aKeyEvent)
     if (!item || item->PopupType() != ePopupTypeMenu)
       return NS_OK;
 
-    if (item->IgnoreKeys() == eIgnoreKeys_Handled) {
+    if (item->IgnoreKeys() == eIgnoreKeys_Shortcuts) {
       aKeyEvent->AsEvent()->StopCrossProcessForwarding();
       return NS_OK;
     }
@@ -2661,7 +2661,7 @@ nsXULPopupManager::KeyDown(nsIDOMKeyEvent* aKeyEvent)
 
   // Since a menu was open, stop propagation of the event to keep other event
   // listeners from becoming confused.
-  if (!item || item->IgnoreKeys() != eIgnoreKeys_Handled) {
+  if (!item || item->IgnoreKeys() != eIgnoreKeys_Shortcuts) {
     aKeyEvent->AsEvent()->StopPropagation();
   }
 
@@ -2726,15 +2726,21 @@ nsXULPopupManager::KeyPress(nsIDOMKeyEvent* aKeyEvent)
   // if a menu is open or a menubar is active, it consumes the key event
   bool consume = (mPopups || mActiveMenuBar);
 
-  // When ignorekeys="handled" is used, we don't call preventDefault on the key
-  // event, which allows another listener to handle keys that the popup hasn't
-  // already handled. For instance, this allows global shortcuts to still apply
-  // while a menu is open.
-  bool onlyHandled = item && item->IgnoreKeys() == eIgnoreKeys_Handled;
-  bool handled = HandleShortcutNavigation(keyEvent, nullptr);
+  WidgetInputEvent* evt = aKeyEvent->AsEvent()->WidgetEventPtr()->AsInputEvent();
+  bool isAccel = evt && evt->IsAccel();
+
+  // When ignorekeys="shortcuts" is used, we don't call preventDefault on the
+  // key event when the accelerator key is pressed. This allows another
+  // listener to handle keys. For instance, this allows global shortcuts to
+  // still apply while a menu is open.
+  if (item && item->IgnoreKeys() == eIgnoreKeys_Shortcuts && isAccel) {
+    consume = false;
+  }
+
+  HandleShortcutNavigation(keyEvent, nullptr);
 
   aKeyEvent->AsEvent()->StopCrossProcessForwarding();
-  if (handled || (consume && !onlyHandled)) {
+  if (consume) {
     aKeyEvent->AsEvent()->StopPropagation();
     aKeyEvent->AsEvent()->PreventDefault();
   }

layout/xul/nsXULPopupManager.h

@@ -102,7 +102,7 @@ enum nsNavigationDirection {
 enum nsIgnoreKeys {
   eIgnoreKeys_False,
   eIgnoreKeys_True,
-  eIgnoreKeys_Handled,
+  eIgnoreKeys_Shortcuts,
 };
 
 #define NS_DIRECTION_IS_INLINE(dir) (dir == eNavigationDirection_Start ||     \
@@ -632,13 +632,12 @@ public:
   void CancelMenuTimer(nsMenuParent* aMenuParent);
 
   /**
-   * Handles navigation for menu accelkeys. Returns true if the key has
-   * been handled. If aFrame is specified, then the key is handled by that
-   * popup, otherwise if aFrame is null, the key is handled by the active
-   * popup or menubar.
+   * Handles navigation for menu accelkeys. If aFrame is specified, then the
+   * key is handled by that popup, otherwise if aFrame is null, the key is
+   * handled by the active popup or menubar.
    */
   bool HandleShortcutNavigation(nsIDOMKeyEvent* aKeyEvent,
-                                  nsMenuPopupFrame* aFrame);
+                                nsMenuPopupFrame* aFrame);
 
   /**
    * Handles cursor navigation within a menu. Returns true if the key has

modules/libpref/init/all.js

@@ -4494,6 +4494,7 @@ pref("webgl.enable-privileged-extensions", false);
 pref("webgl.bypass-shader-validation", false);
 pref("webgl.disable-fail-if-major-performance-caveat", false);
 pref("webgl.disable-DOM-blit-uploads", false);
+pref("webgl.allow-fb-invalidation", false);
 pref("webgl.webgl2-compat-mode", false);
 
 pref("webgl.enable-webgl2", true);

netwerk/base/nsISocketTransport.idl

@@ -221,6 +221,13 @@ interface nsISocketTransport : nsITransport
      */
     const unsigned long MITM_OK = (1 << 6);
 
+    /**
+     * If set, do not use newer protocol features that might have interop problems
+     * on the Internet. Intended only for use with critical infra like the updater.
+     * default is false.
+     */
+    const unsigned long BE_CONSERVATIVE = (1 << 7);
+
     /**
      * Socket QoS/ToS markings. Valid values are IPTOS_DSCP_AFxx or
      * IPTOS_CLASS_CSx (or IPTOS_DSCP_EF, but currently no supported

netwerk/base/nsSocketTransport2.cpp

@@ -1159,6 +1159,9 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, bool &proxyTransparent, bool &us
             if (mConnectionFlags & nsISocketTransport::MITM_OK)
                 controlFlags |= nsISocketProvider::MITM_OK;
 
+            if (mConnectionFlags & nsISocketTransport::BE_CONSERVATIVE)
+                controlFlags |= nsISocketProvider::BE_CONSERVATIVE;
+
             nsCOMPtr<nsISupports> secinfo;
             if (i == 0) {
                 // if this is the first type, we'll want the 

netwerk/ipc/NeckoChannelParams.ipdlh

@@ -117,6 +117,7 @@ struct HttpChannelOpenArgs
   nsCString                   appCacheClientID;
   bool                        allowSpdy;
   bool                        allowAltSvc;
+  bool                        beConservative;
   OptionalLoadInfoArgs        loadInfo;
   OptionalHttpResponseHead    synthesizedResponseHead;
   nsCString                   synthesizedSecurityInfoSerialization;

netwerk/protocol/http/HttpBaseChannel.cpp

@@ -87,6 +87,7 @@ HttpBaseChannel::HttpBaseChannel()
   , mTimingEnabled(false)
   , mAllowSpdy(true)
   , mAllowAltSvc(true)
+  , mBeConservative(false)
   , mResponseTimeoutEnabled(true)
   , mAllRedirectsSameOrigin(true)
   , mAllRedirectsPassTimingAllowCheck(true)
@@ -2304,6 +2305,22 @@ HttpBaseChannel::SetAllowAltSvc(bool aAllowAltSvc)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+HttpBaseChannel::GetBeConservative(bool *aBeConservative)
+{
+  NS_ENSURE_ARG_POINTER(aBeConservative);
+
+  *aBeConservative = mBeConservative;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+HttpBaseChannel::SetBeConservative(bool aBeConservative)
+{
+  mBeConservative = aBeConservative;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 HttpBaseChannel::GetApiRedirectToURI(nsIURI ** aResult)
 {
@@ -3069,10 +3086,11 @@ HttpBaseChannel::SetupReplacementChannel(nsIURI       *newURI,
   httpChannel->SetRequestContextID(mRequestContextID);
 
   if (httpInternal) {
-    // Convey third party cookie and spdy flags.
+    // Convey third party cookie, conservative, and spdy flags.
     httpInternal->SetThirdPartyFlags(mThirdPartyFlags);
     httpInternal->SetAllowSpdy(mAllowSpdy);
     httpInternal->SetAllowAltSvc(mAllowAltSvc);
+    httpInternal->SetBeConservative(mBeConservative);
 
     RefPtr<nsHttpChannel> realChannel;
     CallQueryInterface(newChannel, realChannel.StartAssignment());

netwerk/protocol/http/HttpBaseChannel.h

@@ -211,6 +211,8 @@ public:
   NS_IMETHOD SetAllowSpdy(bool aAllowSpdy) override;
   NS_IMETHOD GetAllowAltSvc(bool *aAllowAltSvc) override;
   NS_IMETHOD SetAllowAltSvc(bool aAllowAltSvc) override;
+  NS_IMETHOD GetBeConservative(bool *aBeConservative) override;
+  NS_IMETHOD SetBeConservative(bool aBeConservative) override;
   NS_IMETHOD GetApiRedirectToURI(nsIURI * *aApiRedirectToURI) override;
   virtual nsresult AddSecurityMessage(const nsAString &aMessageTag, const nsAString &aMessageCategory);
   NS_IMETHOD TakeAllSecurityMessages(nsCOMArray<nsISecurityConsoleMessage> &aMessages) override;
@@ -459,6 +461,7 @@ protected:
   uint32_t                          mTimingEnabled              : 1;
   uint32_t                          mAllowSpdy                  : 1;
   uint32_t                          mAllowAltSvc                : 1;
+  uint32_t                          mBeConservative             : 1;
   uint32_t                          mResponseTimeoutEnabled     : 1;
   // A flag that should be false only if a cross-domain redirect occurred
   uint32_t                          mAllRedirectsSameOrigin     : 1;

netwerk/protocol/http/HttpChannelChild.cpp

@@ -2084,6 +2084,7 @@ HttpChannelChild::ContinueAsyncOpen()
   openArgs.appCacheClientID() = appCacheClientId;
   openArgs.allowSpdy() = mAllowSpdy;
   openArgs.allowAltSvc() = mAllowAltSvc;
+  openArgs.beConservative() = mBeConservative;
   openArgs.initialRwin() = mInitialRwin;
 
   uint32_t cacheKey = 0;

netwerk/protocol/http/HttpChannelParent.cpp

@@ -123,7 +123,7 @@ HttpChannelParent::Init(const HttpChannelCreationArgs& aArgs)
                        a.redirectionLimit(), a.allowPipelining(), a.allowSTS(),
                        a.thirdPartyFlags(), a.resumeAt(), a.startPos(),
                        a.entityID(), a.chooseApplicationCache(),
-                       a.appCacheClientID(), a.allowSpdy(), a.allowAltSvc(),
+                       a.appCacheClientID(), a.allowSpdy(), a.allowAltSvc(), a.beConservative(),
                        a.loadInfo(), a.synthesizedResponseHead(),
                        a.synthesizedSecurityInfoSerialization(),
                        a.cacheKey(), a.requestContextID(), a.preflightArgs(),
@@ -315,6 +315,7 @@ HttpChannelParent::DoAsyncOpen(  const URIParams&           aURI,
                                  const nsCString&           appCacheClientID,
                                  const bool&                allowSpdy,
                                  const bool&                allowAltSvc,
+                                 const bool&                beConservative,
                                  const OptionalLoadInfoArgs& aLoadInfoArgs,
                                  const OptionalHttpResponseHead& aSynthesizedResponseHead,
                                  const nsCString&           aSecurityInfoSerialization,
@@ -525,6 +526,7 @@ HttpChannelParent::DoAsyncOpen(  const URIParams&           aURI,
   mChannel->SetThirdPartyFlags(thirdPartyFlags);
   mChannel->SetAllowSpdy(allowSpdy);
   mChannel->SetAllowAltSvc(allowAltSvc);
+  mChannel->SetBeConservative(beConservative);
   mChannel->SetInitialRwin(aInitialRwin);
   mChannel->SetBlockAuthPrompt(aBlockAuthPrompt);
 

netwerk/protocol/http/HttpChannelParent.h

@@ -129,6 +129,7 @@ protected:
                    const nsCString&           appCacheClientID,
                    const bool&                allowSpdy,
                    const bool&                allowAltSvc,
+                   const bool&                beConservative,
                    const OptionalLoadInfoArgs& aLoadInfoArgs,
                    const OptionalHttpResponseHead& aSynthesizedResponseHead,
                    const nsCString&           aSecurityInfoSerialization,

netwerk/protocol/http/nsHttp.h

@@ -88,6 +88,11 @@ typedef uint8_t nsHttpVersion;
 // First user is to prevent clearing of alt-svc cache on failed probe
 #define NS_HTTP_ERROR_SOFTLY         (1<<10)
 
+// This corresponds to nsIHttpChannelInternal.beConservative
+// it disables any cutting edge features that we are worried might result in
+// interop problems with critical infrastructure
+#define NS_HTTP_BE_CONSERVATIVE      (1<<11)
+
 //-----------------------------------------------------------------------------
 // some default values
 //-----------------------------------------------------------------------------

netwerk/protocol/http/nsHttpChannel.cpp

@@ -375,6 +375,7 @@ nsHttpChannel::Connect()
     mConnectionInfo->SetAnonymous((mLoadFlags & LOAD_ANONYMOUS) != 0);
     mConnectionInfo->SetPrivate(mPrivateBrowsing);
     mConnectionInfo->SetNoSpdy(mCaps & NS_HTTP_DISALLOW_SPDY);
+    mConnectionInfo->SetBeConservative((mCaps & NS_HTTP_BE_CONSERVATIVE) || mBeConservative);
 
     // Consider opening a TCP connection right away.
     SpeculativeConnect();
@@ -789,8 +790,12 @@ nsHttpChannel::SetupTransaction()
         }
     }
 
-    if (!mAllowSpdy)
+    if (!mAllowSpdy) {
         mCaps |= NS_HTTP_DISALLOW_SPDY;
+    }
+    if (mBeConservative) {
+        mCaps |= NS_HTTP_BE_CONSERVATIVE;
+    }
 
     // Use the URI path if not proxying (transparent proxying such as proxy
     // CONNECT does not count here). Also figure out what HTTP version to use.

netwerk/protocol/http/nsHttpConnectionInfo.cpp

@@ -145,8 +145,9 @@ void nsHttpConnectionInfo::BuildHashKey()
     // byte 3 is P/. P is for a private browising channel
     // byte 4 is I/. I is for insecure scheme on TLS for http:// uris
     // byte 5 is X/. X is for disallow_spdy flag
+    // byte 6 is C/. C is for be Conservative
 
-    mHashKey.AssignLiteral("......");
+    mHashKey.AssignLiteral(".......");
     mHashKey.Append(keyHost);
     if (!mNetworkInterfaceId.IsEmpty()) {
         mHashKey.Append('(');
@@ -257,6 +258,7 @@ nsHttpConnectionInfo::Clone() const
     clone->SetPrivate(GetPrivate());
     clone->SetInsecureScheme(GetInsecureScheme());
     clone->SetNoSpdy(GetNoSpdy());
+    clone->SetBeConservative(GetBeConservative());
     MOZ_ASSERT(clone->Equals(this));
 
     return clone;
@@ -279,6 +281,7 @@ nsHttpConnectionInfo::CloneAsDirectRoute(nsHttpConnectionInfo **outCI)
     clone->SetPrivate(GetPrivate());
     clone->SetInsecureScheme(GetInsecureScheme());
     clone->SetNoSpdy(GetNoSpdy());
+    clone->SetBeConservative(GetBeConservative());
     if (!mNetworkInterfaceId.IsEmpty()) {
         clone->SetNetworkInterfaceId(mNetworkInterfaceId);
     }

netwerk/protocol/http/nsHttpConnectionInfo.h

@@ -118,6 +118,10 @@ public:
                                        { mHashKey.SetCharAt(aNoSpdy ? 'X' : '.', 5); }
     bool          GetNoSpdy() const    { return mHashKey.CharAt(5) == 'X'; }
 
+    void          SetBeConservative(bool aBeConservative)
+                                            { mHashKey.SetCharAt(aBeConservative ? 'C' : '.', 6); }
+    bool          GetBeConservative() const { return mHashKey.CharAt(6) == 'C'; }
+
     const nsCString &GetNetworkInterfaceId() const { return mNetworkInterfaceId; }
 
     const nsCString &GetNPNToken() { return mNPNToken; }

netwerk/protocol/http/nsHttpConnectionMgr.cpp

@@ -3062,6 +3062,11 @@ nsHalfOpenSocket::SetupStreams(nsISocketTransport **transport,
     if (ci->GetPrivate())
         tmpFlags |= nsISocketTransport::NO_PERMANENT_STORAGE;
 
+    if ((mCaps & NS_HTTP_BE_CONSERVATIVE) || ci->GetBeConservative()) {
+        LOG(("Setting Socket to BE_CONSERVATIVE"));
+        tmpFlags |= nsISocketTransport::BE_CONSERVATIVE;
+    }
+
     // For backup connections, we disable IPv6. That's because some users have
     // broken IPv6 connectivity (leading to very long timeouts), and disabling
     // IPv6 on the backup connection gives them a much better user experience

netwerk/protocol/http/nsIHttpChannelInternal.idl

@@ -205,6 +205,13 @@ interface nsIHttpChannelInternal : nsISupports
      */
     attribute boolean allowAltSvc;
 
+    /**
+     * If true, do not use newer protocol features that might have interop problems
+     * on the Internet. Intended only for use with critical infra like the updater.
+     * default is false.
+     */
+    attribute boolean beConservative;
+
     readonly attribute PRTime lastModifiedTime;
 
     /**

netwerk/socket/nsISocketProvider.idl

@@ -105,6 +105,13 @@ interface nsISocketProvider : nsISupports
      * a TLS socket without authentication.
      */
     const unsigned long MITM_OK = 1 << 3;
+
+    /**
+     * If set, do not use newer protocol features that might have interop problems
+     * on the Internet. Intended only for use with critical infra like the updater.
+     * default is false.
+     */
+    const unsigned long BE_CONSERVATIVE = 1 << 4;
 };
 
 %{C++

security/manager/ssl/StaticHPKPins.h

@@ -463,6 +463,7 @@ static const char* const kPinset_google_Data[] = {
   kGOOGLE_PIN_GoogleG2Fingerprint,
   kGoogleBackup2048Fingerprint,
   kGeoTrust_Global_CAFingerprint,
+  kGlobalSign_Root_CA___R2Fingerprint,
 };
 static const StaticFingerprints kPinset_google = {
   sizeof(kPinset_google_Data) / sizeof(const char*),
@@ -1148,4 +1149,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1489415068691000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1489505883092000);

security/manager/ssl/nsNSSIOLayer.cpp

@@ -2381,6 +2381,14 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
     return NS_ERROR_FAILURE;
   }
 
+  if ((infoObject->GetProviderFlags() & nsISocketProvider::BE_CONSERVATIVE) &&
+      (range.max > SSL_LIBRARY_VERSION_TLS_1_2)) {
+    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+            ("[%p] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag\n",
+             fd));
+    range.max = SSL_LIBRARY_VERSION_TLS_1_2;
+  }
+
   uint16_t maxEnabledVersion = range.max;
   infoObject->SharedState().IOLayerHelpers()
     .adjustForTLSIntolerance(infoObject->GetHostName(), infoObject->GetPort(),
@@ -2460,6 +2468,9 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
   if (flags & nsISocketProvider::MITM_OK) {
     peerId.AppendLiteral("bypassAuth:");
   }
+  if (flags & nsISocketProvider::BE_CONSERVATIVE) {
+    peerId.AppendLiteral("beConservative:");
+  }
   peerId.Append(host);
   peerId.Append(':');
   peerId.AppendInt(port);

security/manager/ssl/nsSTSPreloadList.errors

@@ -103,7 +103,6 @@ aerialmediapro.net: could not connect to host
 aes256.ru: could not connect to host
 aether.pw: could not connect to host
 aevpn.net: could not connect to host
-affinitysync.com: could not connect to host
 aficotroceni.ro: did not receive HSTS header
 afp548.tk: could not connect to host
 afrodigital.uk: could not connect to host
@@ -151,6 +150,7 @@ alittlebitcheeky.com: did not receive HSTS header
 alkami.com: did not receive HSTS header
 all-subtitles.com: did not receive HSTS header
 all.tf: could not connect to host
+alldaymonitoring.com: could not connect to host
 allforyou.at: could not connect to host
 allinnote.com: could not connect to host
 allstarswithus.com: could not connect to host
@@ -166,7 +166,6 @@ american-truck-simulator.de: could not connect to host
 american-truck-simulator.net: could not connect to host
 americanworkwear.nl: did not receive HSTS header
 amigogeek.net: could not connect to host
-amihub.com: could not connect to host
 amilx.com: could not connect to host
 amilx.org: could not connect to host
 amitube.com: could not connect to host
@@ -197,6 +196,7 @@ aniplus.gq: could not connect to host
 aniplus.ml: could not connect to host
 ankakaak.com: could not connect to host
 ankaraprofesyonelnakliyat.com: did not receive HSTS header
+ankaraprofesyonelnakliyat.com.tr: did not receive HSTS header
 annabellaw.com: max-age too low: 0
 anomaly.ws: did not receive HSTS header
 anonboards.com: did not receive HSTS header
@@ -212,13 +212,16 @@ antscript.com: did not receive HSTS header
 any.pm: could not connect to host
 anycoin.me: could not connect to host
 aojiao.org: did not receive HSTS header
+aosc.io: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 apachelounge.com: did not receive HSTS header
 apeasternpower.com: max-age too low: 0
+apervita.net: could not connect to host
 api.lookout.com: could not connect to host
 api.mega.co.nz: could not connect to host
 apibot.de: could not connect to host
 apis.google.com: did not receive HSTS header (error ignored - included regardless)
 apis.world: did not receive HSTS header
+apnakliyat.com: did not receive HSTS header
 aponkral.net: did not receive HSTS header
 aponkralsunucu.com: did not receive HSTS header
 app.lookout.com: could not connect to host
@@ -295,7 +298,7 @@ autokovrik-diskont.ru: did not receive HSTS header
 autotsum.com: could not connect to host
 autumnwindsagility.com: could not connect to host
 auverbox.ovh: did not receive HSTS header
-auxiliumincrementum.co.uk: could not connect to host
+auxiliumincrementum.co.uk: did not receive HSTS header
 av.de: did not receive HSTS header
 avec-ou-sans-ordonnance.fr: could not connect to host
 avinet.com: max-age too low: 0
@@ -331,6 +334,7 @@ basilisk.io: could not connect to host
 bassh.net: did not receive HSTS header
 baumstark.ca: did not receive HSTS header
 bazarstupava.sk: did not receive HSTS header
+bbdos.ru: could not connect to host
 bcbsmagentprofile.com: could not connect to host
 bccx.com: could not connect to host
 bckp.de: could not connect to host
@@ -462,7 +466,6 @@ bouwbedrijfpurmerend.nl: did not receive HSTS header
 bowlroll.net: max-age too low: 0
 boxcryptor.com: did not receive HSTS header
 br3in.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
-brain-e.co: could not connect to host
 braineet.com: did not receive HSTS header
 brainfork.ml: could not connect to host
 braintreegateway.com: did not receive HSTS header
@@ -520,6 +523,7 @@ bypro.xyz: could not connect to host
 bysymphony.com: max-age too low: 0
 byte.wtf: could not connect to host
 bytepark.de: did not receive HSTS header
+bytesystems.com: could not connect to host
 c1yd3i.me: could not connect to host
 c3b.info: could not connect to host
 cabarave.com: could not connect to host
@@ -559,7 +563,6 @@ cargobay.net: could not connect to host
 carlandfaith.com: could not connect to host
 carlolly.co.uk: could not connect to host
 carlosalves.info: could not connect to host
-carnildo.com: could not connect to host
 carsforbackpackers.com: could not connect to host
 casa-due-pur.com: could not connect to host
 casedi.org: max-age too low: 0
@@ -567,6 +570,7 @@ casinostest.com: did not receive HSTS header
 casioshop.eu: could not connect to host
 casovi.cf: could not connect to host
 catalyst-ecommerce.com: could not connect to host
+catarsisvr.com: did not receive HSTS header
 catcontent.cloud: could not connect to host
 catinmay.com: did not receive HSTS header
 catnapstudios.com: could not connect to host
@@ -606,8 +610,8 @@ chargejuice.com: [Exception... "Component returned failure code: 0x80004005 (NS_
 charnleyhouse.co.uk: max-age too low: 604800
 chartpen.com: did not receive HSTS header
 chartstoffarm.de: max-age too low: 10
+chaska.co.za: could not connect to host
 chatbot.me: did not receive HSTS header
-chateau-belvoir.com: did not receive HSTS header
 chateauconstellation.ch: did not receive HSTS header
 chatup.cf: could not connect to host
 chaulootz.com: could not connect to host
@@ -707,6 +711,7 @@ comfortticket.de: did not receive HSTS header
 comicspines.com: could not connect to host
 compalytics.com: could not connect to host
 comparejewelleryprices.co.uk: could not connect to host
+completeid.com: max-age too low: 86400
 completionist.audio: could not connect to host
 computeremergency.com.au: did not receive HSTS header
 concord-group.co.jp: did not receive HSTS header
@@ -753,6 +758,7 @@ crazyhotseeds.com: did not receive HSTS header
 create-test-publish.co.uk: could not connect to host
 creativephysics.ml: could not connect to host
 creativeplayuk.com: did not receive HSTS header
+creep.im: could not connect to host
 crendontech.com: could not connect to host
 crestoncottage.com: could not connect to host
 criena.net: could not connect to host
@@ -800,11 +806,11 @@ cydia-search.io: could not connect to host
 cyphertite.com: could not connect to host
 czechamlp.com: could not connect to host
 d3xt3r01.tk: could not connect to host
+d42.no: could not connect to host
 dad256.tk: could not connect to host
 dah5.com: did not receive HSTS header
 dailystormerpodcasts.com: did not receive HSTS header
 dakrib.net: could not connect to host
-dalek.co.nz: could not connect to host
 dalingk.co: could not connect to host
 dango.in: did not receive HSTS header
 daniel-steuer.de: did not receive HSTS header
@@ -817,7 +823,6 @@ daolerp.xyz: could not connect to host
 dargasia.is: could not connect to host
 dario.im: could not connect to host
 dark-x.cf: could not connect to host
-darkag.ovh: could not connect to host
 darkengine.io: could not connect to host
 darkhole.cn: could not connect to host
 darknebula.space: could not connect to host
@@ -898,12 +903,12 @@ diablotine.rocks: could not connect to host
 diarbag.us: did not receive HSTS header
 diasp.cz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 diedrich.co: could not connect to host
+digitalbank.kz: could not connect to host
 digitaldaddy.net: could not connect to host
 digitalriver.tk: could not connect to host
 digitalskillswap.com: could not connect to host
 dinamoelektrik.com: max-age too low: 0
 dinkum.online: could not connect to host
-dirk-weise.de: could not connect to host
 discoveringdocker.com: did not receive HSTS header
 discovery.lookout.com: did not receive HSTS header
 dislocated.de: did not receive HSTS header
@@ -977,7 +982,6 @@ dxa.io: could not connect to host
 dycontrol.de: could not connect to host
 dylanscott.com.au: did not receive HSTS header
 dymersion.com: did not receive HSTS header
-dynamize.solutions: did not receive HSTS header
 dzimejl.sk: did not receive HSTS header
 dzlibs.io: could not connect to host
 e-aut.net: could not connect to host
@@ -1106,10 +1110,11 @@ euph.eu: could not connect to host
 euren.se: could not connect to host
 euroshop24.net: could not connect to host
 evantage.org: could not connect to host
+evasion-energie.com: could not connect to host
 evdenevenakliyatankara.pw: did not receive HSTS header
 everybooks.com: max-age too low: 60
 everylab.org: could not connect to host
-evilsay.com: could not connect to host
+evilsay.com: did not receive HSTS header
 evin.ml: could not connect to host
 evomon.com: could not connect to host
 evossd.tk: could not connect to host
@@ -1182,6 +1187,7 @@ fightr.co: could not connect to host
 fikt.space: could not connect to host
 filmipop.com: max-age too low: 0
 finalgear.com: did not receive HSTS header
+financieringsportaal.nl: did not receive HSTS header
 finanzkontor.net: could not connect to host
 findtutorsnearme.com: did not receive HSTS header
 finneas.net: could not connect to host
@@ -1201,6 +1207,7 @@ fixatom.com: did not receive HSTS header
 fixingdns.com: did not receive HSTS header
 fizz.buzz: could not connect to host
 fj.search.yahoo.com: did not receive HSTS header
+fjruiz.es: could not connect to host
 flags.ninja: could not connect to host
 flamewall.net: could not connect to host
 flawcheck.com: did not receive HSTS header
@@ -1216,7 +1223,6 @@ flowersandclouds.com: could not connect to host
 flukethoughts.com: could not connect to host
 flushstudios.com: did not receive HSTS header
 flyaces.com: did not receive HSTS header
-flyserver.co.il: could not connect to host
 flyss.net: did not receive HSTS header
 fm83.nl: could not connect to host
 fndout.com: did not receive HSTS header
@@ -1266,6 +1272,7 @@ frontmin.com: did not receive HSTS header
 frost-ci.xyz: could not connect to host
 fruitusers.com: could not connect to host
 frusky.net: could not connect to host
+fs-gamenet.de: could not connect to host
 ftctele.com: did not receive HSTS header
 fuckgfw233.org: could not connect to host
 fugle.de: could not connect to host
@@ -1319,7 +1326,6 @@ geekcast.co.uk: did not receive HSTS header
 geeky.software: could not connect to host
 geli-graphics.com: did not receive HSTS header
 gem-indonesia.net: could not connect to host
-generic.cx: could not connect to host
 genuu.com: could not connect to host
 genuxation.com: could not connect to host
 genyaa.com: could not connect to host
@@ -1364,13 +1370,11 @@ glass.google.com: did not receive HSTS header (error ignored - included regardle
 glentakahashi.com: max-age too low: 0
 glitzmirror.com: could not connect to host
 globalexpert.co.nz: could not connect to host
-globalinstitutefortraining.org.au: could not connect to host
 globalittech.com: could not connect to host
 globalmusic.ga: could not connect to host
 gloomyvancouver.com: could not connect to host
 glopoi.com: did not receive HSTS header
 glws.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
-gm-assicurazioni.it: could not connect to host
 gm.search.yahoo.com: did not receive HSTS header
 gmail.com: did not receive HSTS header (error ignored - included regardless)
 gmantra.org: could not connect to host
@@ -1404,16 +1408,14 @@ gottcode.org: did not receive HSTS header
 govillemo.ca: did not receive HSTS header
 gowe.wang: could not connect to host
 gparent.org: did not receive HSTS header
-gpfclan.de: could not connect to host
 gpsfix.cz: could not connect to host
 gpstuner.com: did not receive HSTS header
 gracesofgrief.com: max-age too low: 86400
+graffen.dk: did not receive HSTS header
 grandmascookieblog.com: did not receive HSTS header
 graph.no: did not receive HSTS header
 gravity-net.de: could not connect to host
 grazetech.com: could not connect to host
-greboid.co.uk: did not receive HSTS header
-greboid.com: did not receive HSTS header
 greenhillantiques.co.uk: did not receive HSTS header
 greenvines.com.tw: did not receive HSTS header
 gregorytlee.me: could not connect to host
@@ -1433,7 +1435,6 @@ gtlfsonlinepay.com: did not receive HSTS header
 gtraxapp.com: could not connect to host
 guava.studio: did not receive HSTS header
 guilde-vindicta.fr: did not receive HSTS header
-gulenet.com: could not connect to host
 gurusupe.com: could not connect to host
 gussi.is: could not connect to host
 gvt2.com: could not connect to host (error ignored - included regardless)
@@ -1457,6 +1458,7 @@ hackerforever.com: did not receive HSTS header
 hackerone-ext-adroll.com: could not connect to host
 hackit.im: could not connect to host
 hadzic.co: could not connect to host
+haeckdesign.com: could not connect to host
 hahayidu.org: could not connect to host
 haitschi.com: could not connect to host
 haitschi.de: could not connect to host
@@ -1475,7 +1477,6 @@ happycoder.net: could not connect to host
 happyfabric.me: did not receive HSTS header
 happygadget.me: could not connect to host
 harabuhouse.com: did not receive HSTS header
-hardfalcon.net: could not connect to host
 hardline.xyz: could not connect to host
 harmonycosmetic.com: max-age too low: 300
 harristony.com: could not connect to host
@@ -1515,6 +1516,7 @@ henriknoerr.com: could not connect to host
 hermes-net.de: did not receive HSTS header
 herpaderp.net: did not receive HSTS header
 herzbotschaft.de: did not receive HSTS header
+heutger.net: did not receive HSTS header
 heyguevara.com: could not connect to host
 hibilog.com: could not connect to host
 hicn.gq: could not connect to host
@@ -1584,7 +1586,6 @@ iamokay.nl: did not receive HSTS header
 iamveto.com: could not connect to host
 iapws.com: did not receive HSTS header
 iban.is: could not connect to host
-ibnuwebhost.com: did not receive HSTS header
 icewoman.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 ichnichtskaufmann.de: could not connect to host
 icreative.nl: did not receive HSTS header
@@ -1612,6 +1613,7 @@ ihrlotto.de: could not connect to host
 ihrnationalrat.ch: could not connect to host
 ihsbsd.me: could not connect to host
 ihuanmeng.com: did not receive HSTS header
+ikk.me: did not receive HSTS header
 ikujii.com: max-age too low: 0
 ikwilguidobellen.nl: did not receive HSTS header
 ilbuongiorno.it: did not receive HSTS header
@@ -1668,7 +1670,6 @@ intel.li: could not connect to host
 intelldynamics.com: could not connect to host
 interference.io: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 interlun.com: could not connect to host
-internect.co.za: did not receive HSTS header
 internetcasinos.de: did not receive HSTS header
 internetcensus.org: could not connect to host
 interserved.com: did not receive HSTS header
@@ -1704,7 +1705,6 @@ isogram.nl: could not connect to host
 israkurort.com: did not receive HSTS header
 istanbultravelguide.info: could not connect to host
 istaspirtslietas.lv: did not receive HSTS header
-it-adminio.ru: could not connect to host
 it-go.net: did not receive HSTS header
 itechgeek.com: max-age too low: 0
 itfh.eu: could not connect to host
@@ -1740,7 +1740,7 @@ jamesdoylephoto.com: did not receive HSTS header
 jamesf.xyz: could not connect to host
 jamesmorrison.me: did not receive HSTS header
 jamourtney.com: could not connect to host
-jan27.org: did not receive HSTS header
+jan27.org: could not connect to host
 janario.me: could not connect to host
 janbrodda.de: max-age too low: 2592000
 jannyrijneveld.nl: did not receive HSTS header
@@ -1788,15 +1788,15 @@ jhejderup.me: could not connect to host
 jia1hao.com: could not connect to host
 jikken.de: could not connect to host
 jimas.eu: did not receive HSTS header
-jimmycai.org: max-age too low: 10368000
+jimmycai.org: could not connect to host
 jinbo123.com: did not receive HSTS header
 jkb.pics: could not connect to host
 jkbuster.com: could not connect to host
 jmdekker.it: could not connect to host
 joakimalgroy.com: could not connect to host
-jobbkk.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 jobmedic.com: did not receive HSTS header
 joedavison.me: could not connect to host
+joepitt.co.uk: could not connect to host
 jogi-server.de: did not receive HSTS header
 johners.me: could not connect to host
 johners.tech: did not receive HSTS header
@@ -1818,7 +1818,6 @@ jrc9.ca: did not receive HSTS header
 jrgold.me: could not connect to host
 jrvar.com: did not receive HSTS header
 jsanders.us: did not receive HSTS header
-jslay.net: could not connect to host
 jualautoclave.com: did not receive HSTS header
 jualssh.com: could not connect to host
 juliamweber.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
@@ -1839,6 +1838,7 @@ k-dev.de: could not connect to host
 ka-clan.com: could not connect to host
 kab-s.de: did not receive HSTS header
 kabuabc.com: did not receive HSTS header
+kabus.org: could not connect to host
 kadioglumakina.com.tr: did not receive HSTS header
 kahopoon.net: could not connect to host
 kaisers.de: did not receive HSTS header
@@ -1847,8 +1847,8 @@ kamikano.com: could not connect to host
 kaplatz.is: could not connect to host
 kapucini.si: max-age too low: 0
 karaoketonight.com: could not connect to host
+karhukamera.com: could not connect to host
 karmaflux.com: could not connect to host
-katericke.com: could not connect to host
 katiaetdavid.fr: could not connect to host
 katproxy.online: could not connect to host
 katproxy.site: could not connect to host
@@ -1858,6 +1858,7 @@ kausch.at: could not connect to host
 kawaii.io: could not connect to host
 kawaiiku.com: could not connect to host
 kawaiiku.de: could not connect to host
+kaylyn.ink: could not connect to host
 kayon.cf: could not connect to host
 kdata.it: did not receive HSTS header
 kdm-online.de: did not receive HSTS header
@@ -1900,7 +1901,6 @@ kitsta.com: could not connect to host
 kiwiirc.com: max-age too low: 5256000
 kizil.net: could not connect to host
 kjaermaxi.me: did not receive HSTS header
-kksg.com: could not connect to host
 klasfauseweh.de: could not connect to host
 klauwd.com: did not receive HSTS header
 klaxn.org: could not connect to host
@@ -1914,7 +1914,6 @@ knccloud.com: could not connect to host
 kodokushi.fr: could not connect to host
 kollabria.com: max-age too low: 0
 komikito.com: could not connect to host
-komischkeszeug.de: could not connect to host
 kompetenzwerft.de: did not receive HSTS header
 kontaxis.network: could not connect to host
 kontorhaus-schlachte.de: could not connect to host
@@ -1973,7 +1972,6 @@ laserfuchs.de: did not receive HSTS header
 lashstuff.com: did not receive HSTS header
 lask.in: did not receive HSTS header
 latus.xyz: could not connect to host
-lauftrainer-ausbildung.com: did not receive HSTS header
 lavabit.no: could not connect to host
 lavval.com: could not connect to host
 lawformt.com: did not receive HSTS header
@@ -2028,10 +2026,10 @@ libertyrp.org: could not connect to host
 library.linode.com: did not receive HSTS header
 librechan.net: could not connect to host
 libscode.com: did not receive HSTS header
-liduan.com: could not connect to host
-liduan.net: could not connect to host
+liceserv.com: could not connect to host
 lifeguard.aecom.com: did not receive HSTS header
 lifeinitsownway.com: did not receive HSTS header
+lifeskillsdirect.com: did not receive HSTS header
 lifestylehunter.co.uk: did not receive HSTS header
 lifetimemoneymachine.com: did not receive HSTS header
 lifi.digital: could not connect to host
@@ -2045,6 +2043,7 @@ limpido.it: could not connect to host
 lindberg.io: did not receive HSTS header
 lingros-test.tk: could not connect to host
 linguaquote.com: did not receive HSTS header
+linkages.org: could not connect to host
 linmi.cc: did not receive HSTS header
 linorman1997.me: could not connect to host
 linuxeyecandy.com: could not connect to host
@@ -2064,9 +2063,9 @@ locomotive.ca: did not receive HSTS header
 login.corp.google.com: max-age too low: 7776000 (error ignored - included regardless)
 loginseite.com: could not connect to host
 loli.bz: could not connect to host
-lolicore.ch: could not connect to host
 lonal.com: could not connect to host
 londonlanguageexchange.com: could not connect to host
+longboarding-ulm.de: could not connect to host
 look-at-my.site: could not connect to host
 lookastic.co.uk: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 lookastic.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
@@ -2095,6 +2094,7 @@ lsp-sports.de: did not receive HSTS header
 lt.search.yahoo.com: did not receive HSTS header
 ltbytes.com: could not connect to host
 lu.search.yahoo.com: did not receive HSTS header
+lucidlogs.com: could not connect to host
 luine.xyz: could not connect to host
 luis-checa.com: could not connect to host
 lukas.im: did not receive HSTS header
@@ -2125,12 +2125,12 @@ macchaberrycream.com: could not connect to host
 macchedil.com: did not receive HSTS header
 macgeneral.de: did not receive HSTS header
 machon.biz: could not connect to host
+maclemon.at: could not connect to host
 macosxfilerecovery.com: did not receive HSTS header
 madars.org: did not receive HSTS header
 maddin.ga: could not connect to host
 madebymagnitude.com: did not receive HSTS header
-maderwin.com: could not connect to host
-madreacqua.org: could not connect to host
+maderwin.com: did not receive HSTS header
 madusecurity.com: could not connect to host
 mafamane.com: could not connect to host
 mafiareturns.com: max-age too low: 2592000
@@ -2193,7 +2193,7 @@ mcc.re: could not connect to host
 mccarty.io: could not connect to host
 mcdonalds.ru: did not receive HSTS header
 mclab.su: could not connect to host
-md5hashing.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
+mcpart.land: could not connect to host
 mdewendt.de: could not connect to host
 mdfnet.se: did not receive HSTS header
 mdscomp.net: did not receive HSTS header
@@ -2262,12 +2262,14 @@ mikonmaa.fi: could not connect to host
 miku.be: could not connect to host
 miku.hatsune.my: max-age too low: 5184000
 milesgeek.com: did not receive HSTS header
+millenniumweb.com: did not receive HSTS header
 mindoktor.se: did not receive HSTS header
 minecraftserverz.com: could not connect to host
 minecraftvoter.com: could not connect to host
 minikneet.nl: did not receive HSTS header
 minis-hip.de: could not connect to host
 minnesotadata.com: could not connect to host
+miragrow.com: could not connect to host
 mirindadomo.ru: did not receive HSTS header
 mirodasilva.be: could not connect to host
 mironized.com: did not receive HSTS header
@@ -2306,6 +2308,7 @@ mondar.io: could not connect to host
 mondopoint.com: could not connect to host
 moneycrownmedia.com: did not receive HSTS header
 monitman.com: could not connect to host
+monpc-pro.fr: did not receive HSTS header
 moon.lc: could not connect to host
 moparisthebest.biz: could not connect to host
 moparisthebest.info: could not connect to host
@@ -2329,7 +2332,6 @@ mountainmusicpromotions.com: did not receive HSTS header
 moviesabout.net: could not connect to host
 mozoa.net: did not receive HSTS header
 mp3juices.is: could not connect to host
-mpintaamalabanna.it: could not connect to host
 mqas.net: could not connect to host
 mrnonz.com: max-age too low: 0
 mrpopat.in: did not receive HSTS header
@@ -2443,7 +2445,6 @@ neutralox.com: max-age too low: 3600
 never-afk.de: could not connect to host
 neveta.com: could not connect to host
 newcitygas.ca: max-age too low: 0
-newedivideo.it: could not connect to host
 newlooknow.com: did not receive HSTS header
 newtonwarp.com: could not connect to host
 nextcloud.org: could not connect to host
@@ -2461,7 +2462,7 @@ nicky.io: did not receive HSTS header
 nicoborghuis.nl: could not connect to host
 nicolasbettag.me: could not connect to host
 niconiconi.xyz: could not connect to host
-niconode.com: did not receive HSTS header
+niconode.com: could not connect to host
 nien.chat: could not connect to host
 niho.jp: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 nikcub.com: could not connect to host
@@ -2506,6 +2507,7 @@ novatrucking.de: could not connect to host
 nowak.ninja: did not receive HSTS header
 noworrywp.com: could not connect to host
 np.search.yahoo.com: did not receive HSTS header
+npm.li: could not connect to host
 npol.de: did not receive HSTS header
 ntbs.pro: could not connect to host
 nu3.at: did not receive HSTS header
@@ -2519,6 +2521,7 @@ nu3.fr: did not receive HSTS header
 nu3.no: did not receive HSTS header
 nu3.se: did not receive HSTS header
 nufla.de: could not connect to host
+nukenet.se: could not connect to host
 null-sec.ru: could not connect to host
 null.cat: could not connect to host
 null.tips: could not connect to host
@@ -2542,6 +2545,7 @@ o0o.one: did not receive HSTS header
 oasis.mobi: did not receive HSTS header
 oasisim.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 obsydian.org: could not connect to host
+occasion-impro.com: could not connect to host
 occentus.net: did not receive HSTS header
 ochaken.cf: could not connect to host
 odifi.com: could not connect to host
@@ -2558,6 +2562,8 @@ oliver-pietsch.de: did not receive HSTS header
 oliverdunk.com: did not receive HSTS header
 ollehbizev.co.kr: could not connect to host
 ollie.io: did not receive HSTS header
+ollies.cloud: could not connect to host
+olliespage.net: could not connect to host
 omgaanmetidealen.com: could not connect to host
 ominto.com: max-age too low: 0
 omniti.com: max-age too low: 1
@@ -2617,6 +2623,7 @@ ossan-kobe-gourmet.com: did not receive HSTS header
 ossbinaries.com: could not connect to host
 osteammate.com: did not receive HSTS header
 osticketawesome.com: did not receive HSTS header
+ostr.io: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 otakuworld.de: could not connect to host
 othercode.nl: could not connect to host
 othermedia.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
@@ -2626,6 +2633,7 @@ ottospora.nl: could not connect to host
 ourbank.com: did not receive HSTS header
 outdoorproducts.com: did not receive HSTS header
 outetc.com: could not connect to host
+outline.ski: could not connect to host
 outreachbuddy.com: could not connect to host
 outsider.im: could not connect to host
 ouvirmusica.com.br: did not receive HSTS header
@@ -2656,6 +2664,7 @@ pantsu.cat: did not receive HSTS header
 papeda.net: could not connect to host
 papercard.co.uk: did not receive HSTS header
 papierniak.net: could not connect to host
+papygeek.com: could not connect to host
 parent5446.us: could not connect to host
 parentmail.co.uk: did not receive HSTS header
 parodybit.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
@@ -2690,6 +2699,7 @@ pbprint.ru: max-age too low: 0
 pc-nf.de: did not receive HSTS header
 pcfun.net: did not receive HSTS header
 pchax.net: could not connect to host
+pebblesdemo.com: could not connect to host
 peissen.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 pekkapikkarainen.fi: could not connect to host
 pekkarik.ru: could not connect to host
@@ -2719,7 +2729,6 @@ pgpm.io: could not connect to host
 phillprice.com: could not connect to host
 phonenumberinfo.co.uk: could not connect to host
 phongmay24h.com: could not connect to host
-photoancestry.com: could not connect to host
 phurl.de: could not connect to host
 pickr.co: could not connect to host
 picotronic.biz: could not connect to host
@@ -2755,8 +2764,8 @@ playkh.com: did not receive HSTS header
 playmaker.io: could not connect to host
 playnation.io: did not receive HSTS header
 playsoundevents.be: could not connect to host
-pleier-it.de: could not connect to host
-pleier.it: could not connect to host
+pleier-it.de: did not receive HSTS header
+pleier.it: did not receive HSTS header
 plhdb.org: did not receive HSTS header
 plixer.com: did not receive HSTS header
 plogable.co: could not connect to host
@@ -2781,9 +2790,11 @@ poon.tech: could not connect to host
 poris.web.id: did not receive HSTS header
 portalplatform.net: did not receive HSTS header
 postcodewise.co.uk: did not receive HSTS header
+posterspy.com: did not receive HSTS header
 postscheduler.org: could not connect to host
 posylka.de: did not receive HSTS header
 potatofrom.space: could not connect to host
+potatoheads.net: could not connect to host
 poussinooz.fr: could not connect to host
 povitria.net: could not connect to host
 power-of-interest.com: did not receive HSTS header
@@ -2816,6 +2827,7 @@ progg.no: could not connect to host
 prohostonline.fi: could not connect to host
 promecon-gmbh.de: did not receive HSTS header
 prontolight.com: did not receive HSTS header
+prontomovers.co.uk: could not connect to host
 prosocialmachines.com: could not connect to host
 prosoft.sk: did not receive HSTS header
 prosperident.com: did not receive HSTS header
@@ -2826,7 +2838,7 @@ proxybay.al: could not connect to host
 proxybay.club: could not connect to host
 proxybay.info: did not receive HSTS header
 prxio.date: could not connect to host
-prxio.site: could not connect to host
+prxio.site: did not receive HSTS header
 prytkov.com: did not receive HSTS header
 psw.academy: did not receive HSTS header
 psw.consulting: did not receive HSTS header
@@ -2850,6 +2862,7 @@ pypt.lt: did not receive HSTS header
 q2.si: did not receive HSTS header
 qingxuan.info: max-age too low: 864000
 qinxi1992.com: did not receive HSTS header
+qldconservation.org: could not connect to host
 qorm.co.uk: did not receive HSTS header
 qrara.net: did not receive HSTS header
 qrlending.com: did not receive HSTS header
@@ -2876,7 +2889,6 @@ rainbowbarracuda.com: could not connect to host
 ramonj.nl: could not connect to host
 randomcage.com: did not receive HSTS header
 randomcloud.net: could not connect to host
-randomkoalafacts.com: could not connect to host
 rankthespot.com: did not receive HSTS header
 rannseier.org: could not connect to host
 rapidresearch.me: could not connect to host
@@ -2903,7 +2915,7 @@ reddit.com: did not receive HSTS header
 rede.ca: did not receive HSTS header
 redicabo.de: could not connect to host
 redlatam.org: did not receive HSTS header
-redmbk.com: could not connect to host
+redmbk.com: did not receive HSTS header
 regaloaks.com: did not receive HSTS header
 regalpalms.com: did not receive HSTS header
 regenbogenwald.de: did not receive HSTS header
@@ -2921,6 +2933,7 @@ renrenss.com: did not receive HSTS header
 rent-a-coder.de: did not receive HSTS header
 rentcarassist.com: could not connect to host
 renteater.com: could not connect to host
+repaxan.com: could not connect to host
 replacemychina.com: did not receive HSTS header
 reprolife.co.uk: max-age too low: 0
 res-rheingau.de: did not receive HSTS header
@@ -2930,6 +2943,7 @@ reserve-online.net: did not receive HSTS header
 respice.xyz: could not connect to host
 respostas.com.br: did not receive HSTS header
 restchart.com: did not receive HSTS header
+retcor.net: did not receive HSTS header
 retrotracks.net: max-age too low: 0
 revello.org: did not receive HSTS header
 reverie.pw: could not connect to host
@@ -2969,7 +2983,6 @@ roddis.net: did not receive HSTS header
 rodney.id.au: did not receive HSTS header
 rodosto.com: did not receive HSTS header
 roeper.party: could not connect to host
-rokudenashi.de: did not receive HSTS header
 romans-place.me.uk: did not receive HSTS header
 ronvandordt.info: did not receive HSTS header
 ronwo.de: max-age too low: 1
@@ -2999,7 +3012,7 @@ rubyshop.nl: max-age too low: 604800
 rudeotter.com: did not receive HSTS header
 rudloff.pro: did not receive HSTS header
 rugirlfriend.com: could not connect to host
-ruiming.me: could not connect to host
+ruiming.me: did not receive HSTS header
 runawebinar.nl: could not connect to host
 runementors.com: could not connect to host
 runtondev.com: did not receive HSTS header
@@ -3029,7 +3042,8 @@ salud.top: did not receive HSTS header
 saml2.com: could not connect to host
 sampoznay.ru: did not receive HSTS header
 samraskauskas.com: could not connect to host
-samsen.club: could not connect to host
+samsen.club: did not receive HSTS header
+sanatfilan.com: could not connect to host
 sandviks.com: did not receive HSTS header
 sansemea.com: could not connect to host
 sapk.fr: could not connect to host
@@ -3049,6 +3063,7 @@ saveyour.biz: did not receive HSTS header
 savingrecipe.com: did not receive HSTS header
 sawamura-rental.com: did not receive HSTS header
 sb-group.dk: did not receive HSTS header
+sbox-archives.com: could not connect to host
 sby.de: did not receive HSTS header
 sc4le.com: could not connect to host
 schmitz.link: could not connect to host
@@ -3066,7 +3081,6 @@ scrapings.net: could not connect to host
 screencaster.io: did not receive HSTS header
 screenresolution.space: could not connect to host
 scribe.systems: could not connect to host
-scrion.com: did not receive HSTS header
 script.google.com: did not receive HSTS header (error ignored - included regardless)
 scriptict.nl: could not connect to host
 scriptjunkie.us: could not connect to host
@@ -3075,7 +3089,6 @@ sdrobs.com: did not receive HSTS header
 sdsl-speedtest.de: could not connect to host
 search-one.de: did not receive HSTS header
 sebastian-lutsch.de: could not connect to host
-sebster.com: did not receive HSTS header
 secandtech.com: could not connect to host
 secondpay.nl: did not receive HSTS header
 sectia22.ro: could not connect to host
@@ -3084,6 +3097,7 @@ secure-games.us: could not connect to host
 secureradio.net: could not connect to host
 security-carpet.com: could not connect to host
 security.google.com: did not receive HSTS header (error ignored - included regardless)
+securitybsides.pl: did not receive HSTS header
 securityinet.biz: did not receive HSTS header
 securityinet.net: did not receive HSTS header
 securityinet.org.il: did not receive HSTS header
@@ -3111,7 +3125,6 @@ seo.consulting: did not receive HSTS header
 seomobo.com: could not connect to host
 seowarp.net: did not receive HSTS header
 seq.tf: did not receive HSTS header
-serathius.ovh: could not connect to host
 serfdom.io: did not receive HSTS header
 serized.pw: could not connect to host
 servercode.ca: did not receive HSTS header
@@ -3124,6 +3137,7 @@ setphaserstostun.org: could not connect to host
 setuid.de: could not connect to host
 setuid.io: did not receive HSTS header
 seyahatsagliksigortalari.com: could not connect to host
+sgtcodfish.com: did not receive HSTS header
 shadoom.com: did not receive HSTS header
 shadowmorph.info: did not receive HSTS header
 shadowsocks.net: could not connect to host
@@ -3136,6 +3150,7 @@ sharescope.co.uk: max-age too low: 14400
 shauncrowley.co.uk: could not connect to host
 shaunwheelhou.se: could not connect to host
 shawnh.net: could not connect to host
+sheilasdrivingschool.com: could not connect to host
 shellsec.pw: did not receive HSTS header
 shibe.club: could not connect to host
 shiftins.com: did not receive HSTS header
@@ -3183,7 +3198,7 @@ skk.io: could not connect to host
 skoda-clever-lead.de: could not connect to host
 skoda-im-dialog.de: could not connect to host
 skullhouse.nyc: did not receive HSTS header
-skyflix.me: could not connect to host
+skyflix.me: did not receive HSTS header
 skyoy.com: did not receive HSTS header
 slash-dev.de: did not receive HSTS header
 slashem.me: did not receive HSTS header
@@ -3194,7 +3209,6 @@ slightfuture.click: could not connect to host
 slix.io: could not connect to host
 slope.haus: could not connect to host
 slovakiana.sk: did not receive HSTS header
-slowfood.es: could not connect to host
 sluitkampzeist.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 slycurity.de: did not receive HSTS header
 smart-mirror.de: did not receive HSTS header
@@ -3243,7 +3257,6 @@ songzhuolun.com: did not receive HSTS header
 sonic.sk: max-age too low: 0
 sonicrainboom.rocks: did not receive HSTS header
 sotar.us: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
-sotiran.com: did not receive HSTS header
 sotor.de: did not receive HSTS header
 soulboy.io: did not receive HSTS header
 soulema.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
@@ -3256,7 +3269,6 @@ souyar.net: could not connect to host
 souyar.us: could not connect to host
 sovereignshare.com: could not connect to host
 sown.dyndns.org: could not connect to host
-spacefish.biz: did not receive HSTS header
 spacehq.org: max-age too low: 0
 spark.team: could not connect to host
 sparklingsparklers.com: did not receive HSTS header
@@ -3303,7 +3315,6 @@ stadjerspasonline.nl: could not connect to host
 stahl.xyz: could not connect to host
 starsam80.net: could not connect to host
 starttraffic.com: did not receive HSTS header
-stassi.ch: could not connect to host
 stateofexception.io: could not connect to host
 static.or.at: did not receive HSTS header
 staticanime.net: could not connect to host
@@ -3323,6 +3334,7 @@ stitchfiddle.com: could not connect to host
 stkbn.com: did not receive HSTS header
 stmbgr.com: could not connect to host
 stn.me.uk: did not receive HSTS header
+stnl.de: could not connect to host
 stocktrade.de: could not connect to host
 stoffe-monster.de: did not receive HSTS header
 stole-my.bike: could not connect to host
@@ -3428,7 +3440,7 @@ tazemama.biz: could not connect to host
 tazz.in: could not connect to host
 tcao.info: could not connect to host
 tcby45.xyz: did not receive HSTS header
-tcdw.net: could not connect to host
+tcdw.net: did not receive HSTS header
 tcl.ath.cx: did not receive HSTS header
 tcomms.org: max-age too low: 0
 teachforcanada.ca: did not receive HSTS header
@@ -3504,7 +3516,6 @@ thevintagenews.com: [Exception... "Component returned failure code: 0x80004005 (
 thezonders.com: did not receive HSTS header
 thierfreund.de: could not connect to host
 thinkcoding.de: could not connect to host
-thinktux.net: could not connect to host
 thinlyveiledcontempt.com: could not connect to host
 thirdpartytrade.com: did not receive HSTS header
 thirty5.net: did not receive HSTS header
@@ -3531,6 +3542,7 @@ timotrans.eu: did not receive HSTS header
 timwittenberg.com: could not connect to host
 tipsyk.ru: could not connect to host
 tirex.media: did not receive HSTS header
+titanleaf.com: could not connect to host
 tittelbach.at: did not receive HSTS header
 titties.ml: could not connect to host
 tkarstens.de: did not receive HSTS header
@@ -3548,7 +3560,7 @@ tobiasmathes.name: could not connect to host
 tobiasofficial.at: could not connect to host
 todo.is: did not receive HSTS header
 todobazar.es: could not connect to host
-tokyopopline.com: could not connect to host
+tokyopopline.com: did not receive HSTS header
 tollmanz.com: did not receive HSTS header
 tomberek.info: could not connect to host
 tomeara.net: could not connect to host
@@ -3561,7 +3573,6 @@ tonburi.jp: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 tonyfantjr.com: could not connect to host
 toomanypillows.com: could not connect to host
 topbargains.com.au: did not receive HSTS header
-topdevbox.net: could not connect to host
 topmarine.se: could not connect to host
 topnewstoday.org: could not connect to host
 topshelfguild.com: could not connect to host
@@ -3578,17 +3589,18 @@ tpbcdn.com: could not connect to host
 tpe-edu.com: could not connect to host
 track.plus: could not connect to host
 tracktivity.com.au: did not receive HSTS header
+tradeinvent.co.uk: could not connect to host
 tradingcentre.com.au: did not receive HSTS header
 tradinghope.com: could not connect to host
 traeningsprojekt.dk: did not receive HSTS header
 traindb.nl: could not connect to host
+trainut.com: could not connect to host
 translate.googleapis.com: did not receive HSTS header (error ignored - included regardless)
 transportal.sk: did not receive HSTS header
 treeby.net: could not connect to host
 trendberry.ru: could not connect to host
 trinityaffirmations.com: max-age too low: 0
 trinitycore.org: max-age too low: 2592000
-trior.net: could not connect to host
 tripdelta.com: did not receive HSTS header
 trixies-wish.nz: could not connect to host
 trusitio.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
@@ -3633,6 +3645,7 @@ u-blox.com: did not receive HSTS header
 ua.search.yahoo.com: did not receive HSTS header
 ubicloud.de: could not connect to host
 ublox.com: did not receive HSTS header
+ubtce.com: could not connect to host
 ubuntuhot.com: did not receive HSTS header
 uega.net: did not receive HSTS header
 ufgaming.com: did not receive HSTS header
@@ -3655,7 +3668,6 @@ undernet.uy: did not receive HSTS header
 unfiltered.nyc: did not receive HSTS header
 uni-games.com: could not connect to host
 unicooo.com: did not receive HSTS header
-uniq.site: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 unison.com: could not connect to host
 unitedcyberdevelopment.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 unitel2000.de: could not connect to host
@@ -3672,6 +3684,7 @@ up1.ca: could not connect to host
 upaknship.com: did not receive HSTS header
 upani.net: did not receive HSTS header
 upldr.pw: could not connect to host
+upr.com.ua: could not connect to host
 uprotect.it: could not connect to host
 upstats.eu: could not connect to host
 urandom.eu.org: did not receive HSTS header
@@ -3694,6 +3707,7 @@ uzmandroid.net: could not connect to host
 uzmandroid.top: could not connect to host
 v4veedu.com: could not connect to host
 vaddder.com: could not connect to host
+vadik.me: could not connect to host
 valethound.com: could not connect to host
 valis.sx: could not connect to host
 valkyrja.xyz: did not receive HSTS header
@@ -3707,6 +3721,7 @@ vanitas.xyz: could not connect to host
 vanitynailworkz.com: could not connect to host
 vansieleghem.com: could not connect to host
 vasanth.org: could not connect to host
+vavai.net: could not connect to host
 vbh2o.com: did not receive HSTS header
 vbulletin-russia.com: could not connect to host
 vbulletinrussia.com: could not connect to host
@@ -3732,7 +3747,6 @@ viewsea.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERRO
 viktorsvantesson.net: did not receive HSTS header
 vincentkooijman.at: did not receive HSTS header
 vincentkooijman.nl: did not receive HSTS header
-vinner.com.au: could not connect to host
 vintageheartcoffee.com: did not receive HSTS header
 vio.no: did not receive HSTS header
 viperdns.com: could not connect to host
@@ -3768,7 +3782,6 @@ vzk.io: could not connect to host
 w4a.fr: max-age too low: 0
 w4xzr.top: could not connect to host
 w4xzr.xyz: could not connect to host
-wait.moe: could not connect to host
 wakapp.de: could not connect to host
 walkeryoung.ca: could not connect to host
 wallet.google.com: did not receive HSTS header (error ignored - included regardless)
@@ -3783,7 +3796,7 @@ warhistoryonline.com: [Exception... "Component returned failure code: 0x80004005
 warmlyyours.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 warped.com: did not receive HSTS header
 warsentech.com: could not connect to host
-waschpark-hantschel.de: did not receive HSTS header
+warsh.moe: could not connect to host
 watchium.com: did not receive HSTS header
 watsonhall.uk: could not connect to host
 wave.is: could not connect to host
@@ -3882,13 +3895,12 @@ woording.com: could not connect to host
 woresite.jp: did not receive HSTS header
 workfone.io: did not receive HSTS header
 workwithgo.com: could not connect to host
-wormdisk.net: could not connect to host
 wowapi.org: could not connect to host
 wphostingspot.com: did not receive HSTS header
 wpmetadatastandardsproject.org: could not connect to host
 writeapp.me: did not receive HSTS header
 wsscompany.com.ve: could not connect to host
-wufu.org: did not receive HSTS header
+wufu.org: could not connect to host
 wuhengmin.com: did not receive HSTS header
 wurzelzwerg.net: could not connect to host
 www.apollo-auto.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
@@ -3963,7 +3975,6 @@ xtream-hosting.com: could not connect to host
 xtream-hosting.de: could not connect to host
 xtream-hosting.eu: could not connect to host
 xtreamhosting.eu: could not connect to host
-xtremegaming.it: could not connect to host
 xuri.me: max-age too low: 2592000
 xuyh0120.win: did not receive HSTS header
 xxbase.com: could not connect to host
@@ -3997,12 +4008,11 @@ yoloseo.com: could not connect to host
 yorname.ml: could not connect to host
 youcontrol.ru: could not connect to host
 youngandunited.nl: did not receive HSTS header
-yourself.today: could not connect to host
 yourstrongbox.com: could not connect to host
 yout.com: max-age too low: 60000
 yu.gg: did not receive HSTS header
 yuan.ga: did not receive HSTS header
-yuhen.ru: did not receive HSTS header
+yuhen.ru: could not connect to host
 yuko.moe: could not connect to host
 yukontec.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 121"  data: no]
 yunzhu.li: did not receive HSTS header

security/sandbox/linux/Sandbox.cpp

@@ -212,7 +212,9 @@ InstallSigSysHandler(void)
  * program).  The kernel won't allow seccomp-bpf without doing this,
  * because otherwise it could be used for privilege escalation attacks.
  *
- * Returns false (and sets errno) on failure.
+ * Returns false if the filter was already installed (see the
+ * PR_SET_NO_NEW_PRIVS rule in SandboxFilter.cpp).  Crashes on any
+ * other error condition.
  *
  * @see SandboxInfo
  * @see BroadcastSetThreadSandbox
@@ -221,6 +223,9 @@ static bool MOZ_MUST_USE
 InstallSyscallFilter(const sock_fprog *aProg, bool aUseTSync)
 {
   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+    if (!aUseTSync && errno == ETXTBSY) {
+      return false;
+    }
     SANDBOX_LOG_ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %s", strerror(errno));
     MOZ_CRASH("prctl(PR_SET_NO_NEW_PRIVS)");
   }
@@ -230,13 +235,13 @@ InstallSyscallFilter(const sock_fprog *aProg, bool aUseTSync)
                 SECCOMP_FILTER_FLAG_TSYNC, aProg) != 0) {
       SANDBOX_LOG_ERROR("thread-synchronized seccomp failed: %s",
                         strerror(errno));
-      return false;
+      MOZ_CRASH("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
     }
   } else {
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, (unsigned long)aProg, 0, 0)) {
       SANDBOX_LOG_ERROR("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed: %s",
                         strerror(errno));
-      return false;
+      MOZ_CRASH("seccomp+tsync failed, but kernel supports tsync");
     }
   }
   return true;
@@ -246,7 +251,7 @@ InstallSyscallFilter(const sock_fprog *aProg, bool aUseTSync)
 // The communication channel from the signal handler back to the main thread.
 static mozilla::Atomic<int> gSetSandboxDone;
 // Pass the filter itself through a global.
-static const sock_fprog* gSetSandboxFilter;
+const sock_fprog* gSetSandboxFilter;
 
 // We have to dynamically allocate the signal number; see bug 1038900.
 // This function returns the first realtime signal currently set to
@@ -275,13 +280,7 @@ FindFreeSignalNumber()
 static bool
 SetThreadSandbox()
 {
-  if (prctl(PR_GET_SECCOMP, 0, 0, 0, 0) == 0) {
-    if (!InstallSyscallFilter(gSetSandboxFilter, false)) {
-      MOZ_CRASH("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
-    }
-    return true;
-  }
-  return false;
+  return InstallSyscallFilter(gSetSandboxFilter, false);
 }
 
 static void
@@ -451,7 +450,7 @@ ApplySandboxWithTSync(sock_fprog* aFilter)
   // isn't used... but this failure shouldn't happen in the first
   // place, so let's not make extra special cases for it.)
   if (!InstallSyscallFilter(aFilter, true)) {
-    MOZ_CRASH("seccomp+tsync failed, but kernel supports tsync");
+    MOZ_CRASH();
   }
 }
 

security/sandbox/linux/SandboxFilter.cpp

@@ -8,6 +8,7 @@
 #include "SandboxFilterUtil.h"
 
 #include "SandboxBrokerClient.h"
+#include "SandboxInfo.h"
 #include "SandboxInternal.h"
 #include "SandboxLogging.h"
 
@@ -92,6 +93,16 @@ private:
   }
 #endif
 
+  static intptr_t SetNoNewPrivsTrap(ArgsRef& aArgs, void* aux) {
+    if (gSetSandboxFilter == nullptr) {
+      // Called after BroadcastSetThreadSandbox finished, therefore
+      // not our doing and not expected.
+      return BlockedSyscallTrap(aArgs, nullptr);
+    }
+    // Signal that the filter is already in place.
+    return -ETXTBSY;
+  }
+
 public:
   virtual ResultExpr InvalidSyscall() const override {
     return Trap(BlockedSyscallTrap, nullptr);
@@ -249,8 +260,16 @@ public:
 #endif
 
       // prctl
-    case __NR_prctl:
-      return PrctlPolicy();
+    case __NR_prctl: {
+      if (SandboxInfo::Get().Test(SandboxInfo::kHasSeccompTSync)) {
+        return PrctlPolicy();
+      }
+
+      Arg<int> option(0);
+      return If(option == PR_SET_NO_NEW_PRIVS,
+                Trap(SetNoNewPrivsTrap, nullptr))
+        .Else(PrctlPolicy());
+    }
 
       // NSPR can call this when creating a thread, but it will accept a
       // polite "no".

security/sandbox/linux/SandboxInternal.h

@@ -11,6 +11,8 @@
 
 #include "mozilla/Types.h"
 
+struct sock_fprog;
+
 namespace mozilla {
 
 // SandboxCrash() has to be in libxul to use internal interfaces, but
@@ -19,6 +21,7 @@ namespace mozilla {
 
 typedef void (*SandboxCrashFunc)(int, siginfo_t*, void*);
 extern MOZ_EXPORT SandboxCrashFunc gSandboxCrashFunc;
+extern const sock_fprog* gSetSandboxFilter;
 
 } // namespace mozilla
 

testing/web-platform/meta/FileAPI/blob/Blob-constructor.html.ini

@@ -1,6 +1,8 @@
 [Blob-constructor.html]
+  type: testharness
   [The 'endings' property should be ignored.]
     expected: FAIL
 
   [Newlines should not change when endings is 'native'.]
     expected: FAIL
+

testing/web-platform/meta/fetch/api/basic/request-headers-worker.html.ini

@@ -3,3 +3,4 @@
   [Fetch with POST with FormData body]
     expected: FAIL
     bug: https://github.com/whatwg/fetch/issues/422
+

testing/web-platform/meta/fetch/api/basic/request-headers.html.ini

@@ -3,3 +3,4 @@
   [Fetch with POST with FormData body]
     expected: FAIL
     bug: https://github.com/whatwg/fetch/issues/422
+

testing/web-platform/meta/mathml/presentation-markup/fractions/frac-1.html.ini

@@ -12,6 +12,8 @@
       if not debug and not e10s and (os == "linux") and (version == "Ubuntu 12.04") and (processor == "x86_64") and (bits == 64): FAIL
       if not debug and e10s and (os == "linux") and (version == "Ubuntu 12.04") and (processor == "x86_64") and (bits == 64): FAIL
       if debug and e10s and (os == "win") and (version == "5.1.2600") and (processor == "x86") and (bits == 32): FAIL
+
   [Fraction axis is aligned on the math axis]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): FAIL
+

testing/web-platform/meta/presentation-api/controlling-ua/startNewPresentation_error.html.ini

@@ -4,3 +4,4 @@
   prefs: [dom.presentation.enabled: true, dom.presentation.controller.enabled: true, dom.presentation.discovery.enabled: true, dom.presentation.device.name: "Firefox"]
   [The presentation could not start, because a user gesture is required.]
     expected: FAIL
+

testing/web-platform/meta/referrer-policy/generic/unsupported-csp-referrer-directive.html.ini

@@ -1,8 +1,7 @@
 [unsupported-csp-referrer-directive.html]
   type: testharness
-  expected: TIMEOUT
   disabled:
     if (os == "linux") and (bits == 64): true
   [Image has a referrer despite CSP 'referrer' directive]
-    expected: NOTRUN
+    expected: FAIL
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/cross-origin/http-http/img-tag/insecure-protocol.keep-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with keep-origin-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/cross-origin/http-http/img-tag/insecure-protocol.no-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with no-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/cross-origin/http-http/img-tag/insecure-protocol.swap-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with swap-origin-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/cross-origin/http-https/img-tag/upgrade-protocol.keep-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with keep-origin-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/cross-origin/http-https/img-tag/upgrade-protocol.no-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with no-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/cross-origin/http-https/img-tag/upgrade-protocol.swap-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with swap-origin-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/same-origin/http-http/img-tag/insecure-protocol.keep-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with keep-origin-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/same-origin/http-http/img-tag/insecure-protocol.no-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with no-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/same-origin/http-http/img-tag/insecure-protocol.swap-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with swap-origin-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/same-origin/http-https/img-tag/upgrade-protocol.keep-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with keep-origin-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/same-origin/http-https/img-tag/upgrade-protocol.no-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with no-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/attr-referrer/same-origin/http-https/img-tag/upgrade-protocol.swap-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the attr-referrer\n                                 delivery method with swap-origin-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/cross-origin/http-http/img-tag/insecure-protocol.keep-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with keep-origin-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/cross-origin/http-http/img-tag/insecure-protocol.no-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with no-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/cross-origin/http-http/img-tag/insecure-protocol.swap-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with swap-origin-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/cross-origin/http-https/img-tag/upgrade-protocol.keep-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with keep-origin-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/cross-origin/http-https/img-tag/upgrade-protocol.no-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with no-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/cross-origin/http-https/img-tag/upgrade-protocol.swap-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with swap-origin-redirect and when\n                                 the target request is cross-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/same-origin/http-http/img-tag/insecure-protocol.keep-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with keep-origin-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/same-origin/http-http/img-tag/insecure-protocol.no-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with no-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/same-origin/http-http/img-tag/insecure-protocol.swap-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an http\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with swap-origin-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/same-origin/http-https/img-tag/upgrade-protocol.keep-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with keep-origin-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/same-origin/http-https/img-tag/upgrade-protocol.no-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with no-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN
 

testing/web-platform/meta/referrer-policy/no-referrer-when-downgrade/http-rp/same-origin/http-https/img-tag/upgrade-protocol.swap-origin-redirect.http.html.ini

@@ -2,11 +2,7 @@
   type: testharness
   expected:
     if (os == "linux") and (version == "Ubuntu 16.04"): OK
-    if (os == "linux") and (version == "Ubuntu 12.04"): TIMEOUT
-    if not (os == "linux"): TIMEOUT
   [The referrer URL is stripped-referrer when a\n                                 document served over http requires an https\n                                 sub-resource via img-tag using the http-rp\n                                 delivery method with swap-origin-redirect and when\n                                 the target request is same-origin.]
     expected:
       if (os == "linux") and (version == "Ubuntu 16.04"): PASS
-      if (os == "linux") and (version == "Ubuntu 12.04"): NOTRUN
-      if not (os == "linux"): NOTRUN